Schneider Electric EcoStruxure Power Monitoring Expert (PME) (Update A)

Plan PatchCVSS 7.5ICS-CERT ICSA-25-035-04Jan 14, 2025

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric has identified a buffer overflow vulnerability in Modicon M580 PLC firmware, BMENOR2200H RTU communication modules, and EVLink Pro AC charging stations. The vulnerability allows an attacker on the network to send specially crafted packets that crash the device, resulting in denial of service to industrial operations and monitoring. The affected firmware versions are: Modicon M580 CPU (non-Safety) versions before SV4.30, Modicon M580 CPU Safety versions before SV4.21, BMENOR2200H before SV4.02.01, and EVLink Pro AC before version 1.3.10. Fixed firmware versions are available from Schneider Electric for all affected products.

What this means

What could happen

An attacker who can reach the device network-side could send specially crafted packets to trigger a buffer overflow, causing the PLC or communication module to crash and stop processing critical control and monitoring commands for industrial operations.

Who's at risk

Energy and manufacturing organizations that operate Modicon M580 PLCs, BMENOR2200H RTU communication modules, and EVLink Pro AC electric vehicle charging stations. This affects companies running these Schneider Electric automation controllers to manage plant operations, remote monitoring, and EV charging infrastructure.

How it could be exploited

An attacker on the network (or with network access to the device) sends malformed packets that exceed buffer boundaries in the device firmware. The overflow causes the device to crash, resulting in denial of service for industrial control and monitoring functions.

Prerequisites

Network reachability to the vulnerable device (Modicon M580 PLC, BMENOR2200H module, or EVLink Pro AC charging station)
No authentication required to send the crafted packets

remotely exploitableno authentication requiredlow complexityaffects control system availability

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety)< SV4.30SV4.30

Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)< SV4.21SV4.21

BMENOR2200H<SV4.02.01SV4.02.01

EVLink Pro AC< 1.3.101.3.10

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict network access to the vulnerable devices using firewall rules or network segmentation; allow only authorized engineering workstations and SCADA servers to communicate with these devices

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

BMENOR2200H

HOTFIXUpdate BMENOR2200H module firmware to SV4.02.01 or later

EVLink Pro AC

HOTFIXUpdate EVLink Pro AC charging station firmware to version 1.3.10 or later

All products

HOTFIXUpdate Modicon M580 CPU (non-Safety models) firmware to SV4.30 or later

HOTFIXUpdate Modicon M580 CPU Safety firmware to SV4.21 or later

CVEs (1)

CVE-2024-11425

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f2b2dbdd-6e5f-45bb-9114-09fbeee9b8cb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.