Schneider Electric Modicon M221 Programmable Logic Controller

Monitor7.1ICS-CERT ICSA-20-343-04Dec 8, 2020

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Multiple vulnerabilities in the Schneider Electric Modicon M221 PLC (all versions) allow unauthorized access and control via the Modbus protocol (Port 502/TCP) and programming protocol. The vulnerabilities are related to weak cryptography, lack of authentication, and information disclosure. Successful exploitation could allow an attacker to take control of the PLC, modify process logic, alter operational parameters, or read sensitive program and configuration data.

What this means

What could happen

An attacker who gains network access to the Modicon M221 could gain unauthorized control of the PLC, allowing them to modify process logic, alter setpoints, or halt operations in energy and manufacturing facilities. Sensitive information such as program logic and configuration could also be exposed.

Who's at risk

Energy utilities and manufacturing facilities operating Schneider Electric Modicon M221 programmable logic controllers. This affects any organization using M221 PLCs for process control, particularly those with remote or multi-network environments where the controller may be more exposed.

How it could be exploited

An attacker with network access to Port 502/TCP (Modbus) or via the programming protocol could send crafted requests to the PLC without authentication if unused protocols remain enabled and no password protection is set. The attacker could then upload malicious logic or read the existing program logic and configuration.

Prerequisites

Network access to Port 502/TCP or programming protocol on the Modicon M221
Programming protocol enabled on the controller
No password protection set for project or read/write access
High skill level required to craft exploitation payload

remotely exploitable via Port 502/TCPno authentication required if protocols not disabledno patch available (end-of-life product)high complexity attack (high skill required)affects process control systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Modicon M221: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/8

Do now

0/7

HARDENINGDisable all unused protocols, especially the programming protocol, via EcoStruxure Machine Expert - Basic configuration

HARDENINGSet a password to protect the project in the Modicon M221

HARDENINGSet a password for read access on the controller

HARDENINGSet a different password for write access on the controller

WORKAROUNDImplement a firewall to block all unauthorized access to Port 502/TCP

HARDENINGEnsure all controllers are placed in locked cabinets and never left in Program mode

HARDENINGRestrict network exposure for all control system devices and ensure they are not accessible from the Internet

Mitigations - no patch available

0/1

Modicon M221: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate control system networks from the business network

CVEs (5)

CVE-2020-7565 CVE-2020-7566 CVE-2020-7567 CVE-2020-7568 CVE-2020-28214

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f6e73c02-5e10-4566-a514-4ed885b042df