Schneider Electric communication modules for Modicon M580 and Quantum controllers (Update B)
Act Now9.8ICS-CERT ICSA-25-058-01Feb 27, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Schneider Electric Modicon M580 and Quantum communication modules contain a stack overflow vulnerability (CWE-787) that could allow an attacker with network access to execute arbitrary code on the module. Affected modules include BMENOC0321, BMECRA31210, BMXCRA31200, BMXCRA31210, 140CRA31200 (Quantum RIO Drop), and 140CRA31908 (M580 Quantum S908 RIO Drop Adapter). Successful exploitation could result in loss of confidentiality, integrity, and availability of the device.
What this means
What could happen
An attacker could exploit a stack overflow in the communication module to run arbitrary code on the device, potentially disrupting remote I/O communication between the controller and distributed field devices, or altering control commands in transit.
Who's at risk
Energy sector operators, particularly electric utilities and municipal power authorities, using Schneider Electric Modicon M580 or Quantum controllers with any of these communication modules: BMENOC0321, BMECRA31210, BMXCRA31200, BMXCRA31210, 140CRA31200 (Quantum RIO Drop), or 140CRA31908 (M580 Quantum S908 RIO Drop Adapter). These modules handle remote I/O communication, so compromise could affect distributed field device control and sensor telemetry.
How it could be exploited
An attacker with network access to the communication module could send specially crafted network packets to the module's service port. The module processes the packet without proper bounds checking, causing a stack overflow that allows the attacker to execute arbitrary code on the module and potentially compromise the connected Modicon M580 or Quantum controller system.
Prerequisites
- Network access to the communication module (typically on the industrial network)
- No credentials required
- The communication module must be operating and reachable on the network
remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)affects remote I/O and distributed device communication
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
Modicon M580 communication modules BMENOC BMENOC0321: <SV1.10<SV1.10SV1.10
Modicon M580 communication modules BMECRA BMECRA31210: <SV02.80<SV02.80SV02.80
Modicon M580/Quantum communication modules BMXCRA BMXCRA31200: <SV02.80<SV02.80SV02.80
Modicon M580/Quantum communication modules BMXCRA BMXCRA31210: <SV02.80<SV02.80SV02.80
140CRA31200 (Quantum RIO Drop) 140CRA31200: <V02.80<V02.80V02.80
140CRA31908 (M580 Quantum S908 RIO Drop Adapter) 140CRA31908: <V02.80<V02.80V02.80
Remediation & Mitigation
0/7
Do now
0/2HARDENINGIsolate the control system network and communication modules behind firewalls; ensure they are not accessible from business networks or the Internet
HARDENINGRestrict physical access to communication modules and controllers; keep devices in locked cabinets and never leave controllers in Program mode
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
140CRA31200 (Quantum RIO Drop) 140CRA31200: <V02.80
HOTFIXUpdate 140CRA31200 (Quantum RIO Drop) to V02.80 or later
140CRA31908 (M580 Quantum S908 RIO Drop Adapter) 140CRA31908: <V02.80
HOTFIXUpdate 140CRA31908 (M580 Quantum S908 RIO Drop Adapter) to V02.80 or later
All products
HOTFIXUpdate BMENOC0321 communication modules to SV1.10 or later
HOTFIXUpdate BMECRA31210, BMXCRA31200, and BMXCRA31210 communication modules to SV02.80 or later
Long-term hardening
0/1HARDENINGUse secure remote access methods such as VPNs if remote connection to the control system is required
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/db83a287-042d-4eb1-9c2b-fe278ed6293c