Schneider Electric Web Designer for Modicon
MonitorCVSS 7.8ICS-CERT ICSA-25-035-05Jan 14, 2025
Schneider ElectricEnergyManufacturing
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Web Designer for Modicon M340 communication modules contains a vulnerability in how it parses XML-based project files (CWE-611: Improper Restriction of XML External Entity Reference). An attacker could craft a malicious project file containing external entity references that, when opened by a user, could disclose information, compromise the workstation's integrity, or execute arbitrary code with user privileges.
What this means
What could happen
An attacker with local access to a computer running Web Designer could manipulate project XML files to execute arbitrary code or extract sensitive configuration data, potentially compromising the engineering workstation and any controllers it connects to.
Who's at risk
This affects energy and manufacturing organizations using Schneider Electric's Web Designer tool with Modicon M340 communication modules (BMXNOR0200H, BMXNOE0110, BMENOC0311, BMENOC0321). The risk is to engineering workstations and the integrity of controller configurations they manage.
How it could be exploited
The vulnerability exists in how Web Designer handles XML project files. An attacker must gain local access to the engineering workstation (via malicious file or physical access) and trick a user into opening a crafted project file. The malicious XML payload could then execute code with the privileges of the user running Web Designer.
Prerequisites
- Local access to the engineering workstation running Web Designer
- User must open a malicious project file
- No special credentials or authentication required for the vulnerability itself
no patch availablerequires local accessuser interaction needed to open malicious fileaffects safety-critical engineering tools
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (8)
8 EOL
ProductAffected VersionsFix Status
Web Designer for BMXNOR0200H All VersionsAll versionsNo fix (EOL)
Web Designer for BMXNOE0110(H) All VersionsAll versionsNo fix (EOL)
Web Designer for BMENOC0311(C) All VersionsAll versionsNo fix (EOL)
Web Designer for BMENOC0321(C) All VersionsAll versionsNo fix (EOL)
Web Designer for BMXNOR0200H: vers:all/*All versionsNo fix (EOL)
Web Designer for BMXNOE0110(H): vers:all/*All versionsNo fix (EOL)
Web Designer for BMENOC0311(C): vers:all/*All versionsNo fix (EOL)
Web Designer for BMENOC0321(C): vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/4HARDENINGRestrict project file access to trusted users only and encrypt XML project files at rest
HARDENINGUse secure file transfer protocols (SFTP, VPN) when exchanging project files over the network
WORKAROUNDOnly open project files received from trusted, verified sources
HARDENINGScan all USB drives and removable media with antivirus before use on the engineering workstation
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGCompute and regularly verify hash values of project files before opening them to detect tampering
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Web Designer for BMXNOR0200H All Versions, Web Designer for BMXNOE0110(H) All Versions, Web Designer for BMENOC0311(C) All Versions, Web Designer for BMENOC0321(C) All Versions, Web Designer for BMXNOR0200H: vers:all/*, Web Designer for BMXNOE0110(H): vers:all/*, Web Designer for BMENOC0311(C): vers:all/*, Web Designer for BMENOC0321(C): vers:all/*. Apply the following compensating controls:
HARDENINGIsolate the engineering workstation from the business network and never connect it to networks other than the intended control network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ef792971-077d-49cf-9fe2-c2bdc611e892Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.