Schneider Electric Modicon Controllers (Update A)
MonitorCVSS 5.4ICS-CERT ICSA-24-354-07Jul 9, 2024
Schneider ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
This is a cross-site scripting (XSS) vulnerability in Schneider Electric Modicon Controllers' web interface. An attacker can inject arbitrary JavaScript that executes in the browser of an engineer accessing the controller remotely. This could allow theft of session credentials or further compromise of the engineering workstation. Affected models are M262, M258/LMC058, M241, and M251. M262 and M258/LMC058 have firmware fixes available through EcoStruxure Machine Expert v2.2.2. M241 and M251 do not have fixes planned.
What this means
What could happen
An attacker who gains access to the engineering workstation can inject malicious JavaScript that runs in the browser of an engineer viewing the controller's web interface, potentially allowing credential theft or further system compromise.
Who's at risk
This affects operators and engineers managing Schneider Electric Modicon PLCs (M241, M251, M258/LMC058, M262) in industrial automation and energy facilities. The primary risk is to engineering workstations running EcoStruxure Machine Expert software that communicate with these controllers.
How it could be exploited
The attacker must have network access to an engineering workstation with EcoStruxure Machine Expert installed, or to the Modicon controller's web interface. They inject a malicious script into a page viewed by an engineer (via MITM, compromised engineering workstation, or if the controller is internet-facing). When the engineer visits the affected page, the injected JavaScript executes in their browser context.
Prerequisites
- Network access to the engineering workstation running EcoStruxure Machine Expert or to the Modicon controller's web interface
- Ability to inject payload into web traffic (e.g., via MITM or compromised intermediate system)
- Engineer user must visit the page containing the injected payload
- Affected firmware versions below stated thresholds running on target controller
Remotely exploitable via network accessRequires user interaction (engineer must visit affected page)Low complexity attackCross-site scripting (XSS) impacts confidentiality and integrityM241 and M251 have no fix availableAffects engineering workstation security
Exploitability
Unlikely to be exploited — EPSS score 0.6%
Affected products (9)
7 with fix2 EOL
ProductAffected VersionsFix Status
Modicon Controllers M241<5.2.11.245.2.11.24
Modicon Controllers M258<5.0.4.195.0.4.19
Modicon Controllers M262<5.2.8.265.2.8.26
Modicon Controllers M251<5.2.11.245.2.11.24
Modicon Controllers LMC058<5.0.4.195.0.4.19
Schneider Electric Modicon Controllers M251: <5.2.11.24<5.2.11.24No fix (EOL)
Schneider Electric Modicon Controllers M262: <5.2.8.26<5.2.8.262.2.2 of EcoStruxure Machine Expert
Schneider Electric Modicon Controllers M258 / LMC058: <5.0.4.19<5.0.4.192.2.2 of EcoStruxure Machine Expert
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDFor M241 and M251 (no firmware fix available): restrict network access to controller web interface to engineering workstations only via firewall rules
WORKAROUNDFor M241 and M251: disable the web interface on controllers if not required for operations
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate EcoStruxure Machine Expert on engineering workstations to version 2.2.2 or later
HOTFIXUpdate Modicon M262 firmware to v5.2.8.26 or later using EcoStruxure Machine Expert v2.2.2 and SESU application, then reboot the controller
HOTFIXUpdate Modicon M258/LMC058 firmware to v5.0.4.19 or later using Controller Assistant in EcoStruxure Machine Expert and perform controller reboot
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Schneider Electric Modicon Controllers M251: <5.2.11.24, Schneider Electric Modicon Controllers M241: <5.2.11.24. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate engineering workstations from untrusted networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4582ffe7-1042-4d07-b7df-ac6b5cf40932Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.