Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, and Modicon M340, M580 and M580 Safety PLCs

Plan Patch8.1ICS-CERT ICSA-24-331-03Feb 13, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Schneider Electric has identified multiple vulnerabilities affecting Modicon M340, M580, and M580 Safety PLCs, as well as EcoStruxure Control Expert and Process Expert software. The vulnerabilities stem from hardcoded credentials, weak authentication, and insecure credential storage (CWE-798, CWE-522, CWE-924). Exploitation could allow unauthorized access to PLCs, potentially resulting in denial of service, unauthorized process modifications, or loss of confidential process data. M340 and M580 Safety CPUs have firmware updates available. M580 non-Safety, MC80, and Momentum Unity M1E processors are end-of-life products with no fixes planned.

What this means

What could happen

An attacker with network access could gain unauthorized access to Modicon PLCs and EcoStruxure software, potentially allowing them to read sensitive process data, alter control logic or setpoints, or shut down operations. The vulnerability affects both legacy M340 systems and modern M580 safety-critical controllers used in power generation and industrial processes.

Who's at risk

Energy utilities and manufacturing plants using Schneider Electric Modicon M340, M580, M580 Safety, MC80, or Momentum PLCs for critical process control. Organizations using EcoStruxure Control Expert or Process Expert software for PLC programming and monitoring. This affects power generation, water/wastewater treatment, oil and gas, chemical processing, and discrete manufacturing facilities where PLCs manage critical operations.

How it could be exploited

An attacker on the network could send a malicious request to the affected PLC or engineering software that exploits hardcoded credentials or weak authentication mechanisms (CWE-798, CWE-522). Once authenticated, they could execute commands or modify the controller's configuration. M580 and M340 PLCs that are network-reachable (via standard industrial protocols like Modbus TCP or EtherNet/IP) would be vulnerable if running affected firmware versions.

Prerequisites

Network access to the PLC or EcoStruxure workstation (typically on port 502 for Modbus or port 44818 for EtherNet/IP)
PLC or software running affected version (M340 <SV3.60, M580 <SV4.20, M580 Safety <SV4.21, Control Expert <16.0, Process Expert <15.3_HF008)
No valid credentials required (vulnerability related to hardcoded or default credentials, CWE-798)

remotely exploitableno authentication required (hardcoded/default credentials)affects safety systems (M580 Safety PLC)high CVSS score (8.1)no patch available for M580 non-Safety, MC80, and Momentum Unity M1E (end-of-life products)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

5 with fix3 EOL

ProductAffected VersionsFix Status

Modicon M580 CPU (part numbers BMEP* and BMEH* excluding M580 CPU Safety)<SV4.20SV4.20

Modicon MC80 (part numbers BMKC80) All VersionsAll versionsNo fix (EOL)

Modicon Momentum Unity M1E Processor (171CBU*) All versionsAll versionsNo fix (EOL)

Modicon M340 CPU (part numbers BMXP34*)<sv3.60SV3.60

Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)<SV4.21SV4.21

EcoStruxure™ Control Expert<v16.016.0

EcoStruxure™ Process Expert<v202315.3_HF008

Remediation & Mitigation

0/8

Do now

0/3

HARDENINGImplement network segmentation to restrict access to PLCs and engineering workstations from untrusted networks; deploy firewall rules to allow only authorized engineering and SCADA hosts to connect to Modicon PLCs

HARDENINGDisable remote access to PLCs and engineering software unless absolutely required; if remote access is needed, require VPN with multi-factor authentication

HARDENINGAudit and remove any default or hardcoded credentials from PLC configurations and engineering workstations

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M340 PLC firmware to SV3.60 or later

HOTFIXUpdate Modicon M580 PLC firmware to SV4.20 or later

HOTFIXUpdate Modicon M580 Safety PLC firmware to SV4.21 or later

HOTFIXUpdate EcoStruxure Control Expert to version 16.0 or later (minimum 16.0 HF001 required for M580 Safety compatibility)

HOTFIXUpdate EcoStruxure Process Expert to version 15.3_HF008 or later

CVEs (3)

CVE-2023-6408 CVE-2023-6409 CVE-2023-27975

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f6572b04-5790-4830-a30d-d18350dc930f