Schneider Electric Modicon Controllers

Act Now10ICS-CERT ICSA-25-114-01May 14, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Modicon Programmable Automation Controllers contain multiple vulnerabilities in communication handling and command validation that allow remote code execution. These controllers are widely used in energy and manufacturing for networked control and display of complex processes. Failure to apply fixes may enable execution of unsolicited commands on the PLC, resulting in loss of availability, execution of unsafe operations, or corruption of control logic. The vulnerabilities stem from improper input validation (CWE-125), missing authentication (CWE-290, CWE-807), insufficient security checks (CWE-284, CWE-501), and information disclosure (CWE-200). A February 2025 update addressed additional issues in Quantum Safety processors.

What this means

What could happen

An attacker with network access to a Modicon controller can execute arbitrary commands on the PLC, potentially altering process parameters, stopping operations, or corrupting control logic in critical infrastructure systems.

Who's at risk

Energy utilities and manufacturing facilities using Schneider Electric Modicon controllers for process control and automation. Specifically affects facilities operating Modicon M580, M340, Quantum, Premium, M1E (Momentum), and MC80 series PLCs. Any water authority or electric utility with Modicon-based SCADA or local process control systems should assess their inventory immediately.

How it could be exploited

An attacker on the network sends a specially crafted message to the Modicon controller on port 502 (Modbus TCP) or through network communication without authentication. The controller accepts and executes the command, allowing the attacker to alter the running control program or trigger unsafe actions in the connected equipment.

Prerequisites

Network access to the Modicon controller (direct or routed)
Controller exposed to a network segment accessible from the attacker
Default or weak network segmentation allowing external communication

Remotely exploitableNo authentication requiredLow complexityHigh EPSS score (43.3%)Critical CVSS (10.0)Affects industrial process controllersMultiple products end-of-life with no fix availableDefault or insecure communication protocols

Exploitability

High exploit probability (EPSS 43.3%)

Affected products (19)

16 with fix1 pending2 EOL

ProductAffected VersionsFix Status

Modicon M580 <2.90<2.903.10

Modicon M340 <3.10<3.103.20

Modicon Quantum allAll versions3.60

Modicon Premium allAll versions3.20

Modicon M580 <2.80<2.803.10

Remediation & Mitigation

0/10

Do now

0/2

HARDENINGSet up application password protection in project properties within EcoStruxure Control Expert

WORKAROUNDSegment Modicon controllers from untrusted networks using firewall rules; restrict access to port 502 (Modbus TCP) and port 3292 (Modbus secure) to authorized engineering workstations and control networks only

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

Modicon M580

HOTFIXUpdate Modicon M580 firmware to version 3.10 or above

Modicon M340

HOTFIXUpdate Modicon M340 firmware to version 3.20 or above

All products

HOTFIXUpdate Modicon Quantum firmware to version 3.60 or above

HOTFIXUpdate Modicon Premium firmware to version 3.20 or above

HOTFIXUpdate Modicon MC80 BMKC80 firmware to version 1.80 or above

HOTFIXUpdate PLC Simulator for EcoStruxure Control Expert to version 15.1 or above

HOTFIXUpdate EcoStruxure Control Expert engineering workstation software to version 14.1

HOTFIXRebuild and transfer all projects to controllers after firmware updates to ensure compatibility

CVEs (22)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close