Schneider Electric EcoStruxure Control Expert, Process Expert, Modicon M340, M580 and M580 CPU
Plan Patch8.1ICS-CERT ICSA-23-227-01Aug 15, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A vulnerability in Schneider Electric Modicon controllers allows an attacker to execute unauthorized Modbus functions by hijacking an authenticated Modbus session. The affected products include EcoStruxure Control Expert (all versions), EcoStruxure Process Expert (v2020 and earlier), Modicon M340, M580, M580 Safety, Momentum Unity M1E, and MC80 controllers. All versions of these products except EcoStruxure Process Expert v2021 lack fixes. The vulnerability affects Modbus protocol communication on port 502/TCP between engineering workstations and PLCs. Successful exploitation allows an unauthenticated attacker on the network to inject unauthorized commands into running processes after hijacking an authenticated session.
What this means
What could happen
An attacker who can intercept or hijack an authenticated Modbus communication session could inject unauthorized commands into a Modicon PLC, potentially altering process setpoints, disabling safety functions, or stopping operations entirely. This affects both normal control systems and safety-critical applications.
Who's at risk
Energy sector utilities operating Schneider Electric Modicon M340, M580, and M580 Safety CPUs should prioritize this issue. Organizations using EcoStruxure Control Expert or Process Expert engineering software are directly affected. This applies to municipal electric utilities and water authorities that rely on these PLCs for SCADA and process control, as well as any facility with safety-critical applications using Modicon controllers. All versions are vulnerable; there is no patch available from the vendor.
How it could be exploited
An attacker on the same network segment as the PLC and engineering workstation could intercept Modbus traffic on port 502/TCP. By hijacking an authenticated session between the engineering software (EcoStruxure Control Expert or Process Expert) and the PLC, the attacker could inject malicious Modbus functions without needing to re-authenticate. This requires the attacker to be able to monitor and modify network traffic in real time.
Prerequisites
- Network access to port 502/TCP on the affected PLC
- Ability to sniff or intercept Modbus traffic between engineering workstation and PLC (same network segment or compromised network device)
- Active authenticated Modbus session between the engineering software and controller
- No application password set on the PLC (optional, makes hijacking easier)
remotely exploitableno authentication required (Modbus session hijacking)affects safety systemsno patch available for most productsaffects all versions
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (7)
1 with fix6 EOL
ProductAffected VersionsFix Status
Modicon M340 CPU (part numbers BMXP34*): *All versionsNo fix (EOL)
Modicon M580 CPU (part numbers BMEP* and BMEH*): *All versionsNo fix (EOL)
Modicon Momentum Unity M1E Processor (171CBU*): *All versionsNo fix (EOL)
Modicon MC80 (BMKC80): *All versionsNo fix (EOL)
EcoStruxure Control Expert: *All versionsNo fix (EOL)
EcoStruxure Process Expert: <= 2020≤ 2020Version 2021 or later
Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S): *All versionsNo fix (EOL)
Remediation & Mitigation
0/9
Do now
0/4WORKAROUNDSet up a VPN between the Modicon PLC controllers and the engineering workstation containing EcoStruxure Control Expert or Process Expert
HARDENINGSet up an application password in the project properties on all Modicon M340 and M580 CPUs
HARDENINGImplement network segmentation and firewall rules to block all unauthorized access to port 502/TCP
HARDENINGConfigure access control lists on Modicon M340 and M580 CPUs according to vendor manuals
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpgrade EcoStruxure Process Expert to version 2021 or later
HARDENINGSet up secure Modbus communication (IPSEC) using BMENUA0100 module on M580 CPUs where supported
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: Modicon M340 CPU (part numbers BMXP34*): *, Modicon M580 CPU (part numbers BMEP* and BMEH*): *, Modicon Momentum Unity M1E Processor (171CBU*): *, Modicon MC80 (BMKC80): *, EcoStruxure Control Expert: *, Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S): *. Apply the following compensating controls:
HARDENINGHarden the workstations running EcoStruxure Control Expert or Process Expert (OS patching, antivirus, host firewall)
HARDENINGImplement physical controls: lock cabinet doors, remove controllers from Program mode, prevent unauthorized access to control networks
HARDENINGIsolate control and safety system networks from the business network using firewalls
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ea4ca298-beb4-4f9b-a803-20cee2d0e5da