Schneider Electric PLC Simulator for EcoStruxure Control Expert
Plan PatchCVSS 7.5ICS-CERT ICSA-20-315-03Nov 10, 2020
Schneider ElectricEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
PLC Simulator for EcoStruxure Control Expert contains a denial-of-service vulnerability in the Modbus protocol implementation (CWE-754). The simulator listens on all network interfaces (0.0.0.0) by default, exposing it to remote attacks on port 502/TCP. An attacker with network access can send crafted Modbus packets that cause the simulator to stop responding, disrupting the engineering environment. Schneider Electric reports that all versions of PLC Simulator for Unity Pro and PLC Simulator for EcoStruxure Control Expert are affected.
What this means
What could happen
An attacker with network access could force the PLC Simulator to stop responding (denial of service), disrupting the engineering environment and potentially preventing testing or validation of control logic before deployment to production systems.
Who's at risk
Engineering teams in energy and manufacturing facilities using EcoStruxure Control Expert (and the legacy PLC Simulator for Unity Pro) for offline testing and development of control logic. Development and test environments running the simulator on engineering workstations are affected if those workstations are accessible from the plant network.
How it could be exploited
An attacker on the network sends crafted packets to port 502/TCP (Modbus), the default listening port of the PLC Simulator. The simulator is configured to listen on 0.0.0.0 (all network interfaces) by default, allowing remote connection. The attacker triggers a condition that causes the simulator process to stop responding or crash.
Prerequisites
- Network access to port 502/TCP on the engineering workstation running PLC Simulator
- PLC Simulator configured with default listening IP address (0.0.0.0)
- No firewall rules blocking port 502/TCP
remotely exploitableno authentication requiredlow complexitydefault credentials/configuration exposes vulnerabilityaffects engineering and validation environment
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (5)
2 with fix3 EOL
ProductAffected VersionsFix Status
PLC Simulator for EcoStruxure™ Control Expert prior to v15.0 SP1<15.0 SP115.0 SP1
PLC Simulator for Unity Pro (former name of EcoStruxure™ Control Expert) all versionsAll versionsNo fix (EOL)
PLC Simulator for EcoStruxure™ Process Expert all versionsAll versionsNo fix (EOL)
PLC Simulator for Unity Pro (former name of EcoStruxure Control Expert): all versionsAll versionsNo fix (EOL)
PLC Simulator for EcoStruxure Control Expert: all versionsAll versions15.0
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDIn the PLC Simulator option dialog, change the listening IP address from 0.0.0.0 (default) to 127.0.0.1 (localhost only)
HARDENINGConfigure firewall rules to block all unauthorized access to port 502/TCP
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate EcoStruxure Control Expert software to Version 15.0 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: PLC Simulator for Unity Pro (former name of EcoStruxure™ Control Expert) all versions, PLC Simulator for EcoStruxure™ Process Expert all versions, PLC Simulator for Unity Pro (former name of EcoStruxure Control Expert): all versions. Apply the following compensating controls:
HARDENINGApply workstation, network, and site-hardening guidelines per Schneider Electric Cybersecurity Best Practices guide
HARDENINGIsolate engineering workstations running PLC Simulator behind firewalls on a separate network from business and production systems
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3205adf1-f00d-4b08-a066-1235390e3b15Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.