Schneider Electric SoMachine Basic
Plan PatchCVSS 8.6ICS-CERT ICSA-21-103-01Apr 13, 2021
Schneider ElectricEnergy
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
SoMachine Basic (all versions prior to 1.6 SP1) contains an XML External Entity (XXE) vulnerability that allows an attacker with access to an engineering workstation to retrieve arbitrary data from connected Modicon M100/M200/M221 logic controllers via an out-of-band attack mechanism. The vulnerability does not require valid controller credentials. Schneider Electric has discontinued SoMachine Basic and replaced it with EcoStruxure Machine Expert – Basic. No public exploits currently exist for this vulnerability.
What this means
What could happen
An attacker with access to an engineering workstation could exploit this vulnerability to read and extract arbitrary data from the Modicon controller, potentially including application logic, configuration, or sensitive control parameters. This could compromise the integrity of safety and control logic running on the device.
Who's at risk
Energy sector organizations (utilities, generators, distribution networks) using Schneider Electric SoMachine Basic for automation of Modicon M100/M200/M221 programmable logic controllers in substations, generation facilities, or distribution control centers should prioritize remediation. This affects anyone who uses these controllers for critical process control or safety logic.
How it could be exploited
An attacker gains access to an engineering workstation running SoMachine Basic (via physical access, malware, or compromised credentials), then uses the vulnerability to send a specially crafted request to a connected Modicon M100/M200/M221 controller, retrieving sensitive data from the device without authentication. The attack occurs out-of-band, meaning it may bypass normal monitoring or logging mechanisms.
Prerequisites
- Physical or network access to an engineering workstation running SoMachine Basic version prior to 1.6 SP1
- The workstation must be connected to the network containing a Modicon M100/M200/M221 controller
- No valid controller credentials required to extract data
No patch available for SoMachine BasicNo authentication required for exploitationLow complexity attackAffects industrial controllers in energy sectorEngineering workstation required as attack vector
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (1)
ProductAffected VersionsFix Status
SoMachine Basic: all< 1.6 SP1No fix (EOL)
Remediation & Mitigation
0/8
Do now
0/3HARDENINGRestrict physical access to controllers and engineering workstations with locked cabinets; never leave controllers in Program mode
HARDENINGEnsure programming software is only connected to the intended device network, never to multiple networks
HARDENINGScan all removable media (USB drives, CDs) for malware before connecting to isolated control networks
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXReplace SoMachine Basic with EcoStruxure Machine Expert – Basic v1.1 SP1 or above on all engineering workstations
HOTFIXUpdate Modicon M100/M200/M221 controllers to the latest available firmware version
HARDENINGUpgrade all application projects to functional level minimum Version 10.2 in EcoStruxure Machine Expert – Basic
HARDENINGActivate application protection (read and write) in project properties within EcoStruxure Machine Expert – Basic
Mitigations - no patch available
0/1SoMachine Basic: all has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate control system networks and programming workstations behind firewalls, separated from business network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/70a57822-3f32-461e-bfbf-57a01e1fa6b2Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.