Schneider Electric Modicon M340 and BMXNOE0100/0110, BMXNOR0200H

Plan Patch8.6ICS-CERT ICSA-25-035-06Jan 14, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability exists in the Web Server implementation on Schneider Electric Modicon M340 programmable automation controllers and associated communication modules (BMXNOE0100, BMXNOE0110, BMXNOR0200H). The vulnerability allows unauthorized information disclosure from web pages, unauthorized modification of web pages, and denial of service conditions. These outcomes could render controllers or modules unavailable and disrupt automation and monitoring capabilities.

What this means

What could happen

An attacker with network access to the web server on Modicon M340 controllers or network modules could read sensitive information, modify web pages, or cause the controller to become unavailable, disrupting process automation and monitoring.

Who's at risk

Schneider Electric Modicon M340 programmable automation controllers and their network communication modules (BMXNOE0100 Modbus/TCP, BMXNOE0110 FactoryCast, BMXNOR0200H Ethernet/Serial RTU) are affected. Organizations managing energy infrastructure, water systems, or any industrial process relying on Modicon M340 for automation and monitoring should assess their exposure.

How it could be exploited

An attacker sends HTTP requests to the web server on the Modicon M340, BMXNOE0100, BMXNOE0110, or BMXNOR0200H module over the network. The vulnerability in the web server implementation allows the attacker to access restricted information, alter web content served by the controller, or trigger a denial of service condition without requiring credentials.

Prerequisites

Network access to the HTTP/HTTPS port on the Modicon M340 or communication module
No authentication required
Module must be running a vulnerable firmware version

Remotely exploitableNo authentication requiredLow complexityInformation disclosure and denial of serviceNo patch available for Modicon M340 processors themselves

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

Modicon M340 processors All versionsAll versionsNo fix (EOL)

Modbus/TCP Ethernet Modicon M340 module<SV3.60SV3.60

Modbus/TCP Ethernet Modicon M340 FactoryCast module<SV6.80SV6.80

Ethernet / Serial RTU module<SV1.70IR26SV1.70IR26

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDImplement firewall rules to block unauthorized HTTP/HTTPS access to the Modicon M340 and network modules from untrusted networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Modbus/TCP Ethernet Modicon M340 module

HOTFIXUpdate BMXNOE0100 (Modbus/TCP Ethernet Modicon M340 module) to firmware version SV3.60 or later

Modbus/TCP Ethernet Modicon M340 FactoryCast module

HOTFIXUpdate BMXNOE0110 (Modbus/TCP Ethernet Modicon M340 FactoryCast module) to firmware version SV6.80 or later

All products

HOTFIXUpdate BMXNOR0200H (Ethernet/Serial RTU module) to firmware version SV1.70IR26 or later

Mitigations - no patch available

0/1

Modicon M340 processors All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGFor Modicon M340 processors (no patch available): implement network segmentation to restrict access to the controller's web server to trusted engineering networks only

CVEs (1)

CVE-2024-12142

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/82ec8b1c-4d2b-432b-b0c8-aa20c14dc8c8