Schneider Electric Modicon Controllers (Update B)

Plan PatchCVSS 7.5ICS-CERT ICSA-25-140-08May 13, 2025

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 contain a vulnerability that allows unauthenticated remote file read access. An attacker on the network can read arbitrary files from the controller without credentials, potentially exposing control logic, configuration settings, or sensitive data. Modicon M241 and M251 are fixed in firmware version 5.3.12.48; M258 and LMC058 are fixed in version 5.0.4.19. Firmware updates are delivered through EcoStruxure Machine Expert v2.3 or EcoStruxure Automation Expert - Motion v24.1 using the Controller Assistant feature.

What this means

What could happen

An attacker on the network could read arbitrary files from the controller without authentication, potentially exposing sensitive configuration data, control logic, or credentials stored on the device. This could lead to compromise of the machine's operation or disclosure of proprietary process information.

Who's at risk

Operators and managers of Schneider Electric Modicon controller-based systems in manufacturing and energy sectors should prioritize this update. Affected models include the M241 and M251 compact PLCs, the M258 machine automation controller, and the LMC058 legacy controller. Any facility using these controllers for machine control, process automation, or infrastructure management is potentially impacted.

How it could be exploited

An attacker with network access to the controller can send unauthenticated requests to read arbitrary files from the device's file system. No credentials or special configuration are required—the vulnerability exists in the default state of affected firmware versions.

Prerequisites

Network access to the Modicon controller
No authentication required
Vulnerable firmware version running on the device

remotely exploitableno authentication requiredlow complexitysensitive data exposureno patch available yet for some products (advisory update indicates recent availability)

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Modicon Controllers M241<5.3.12.485.3.12.48

Modicon Controllers M251<5.3.12.485.3.12.48

Modicon Controllers M258<5.0.4.195.0.4.19

Modicon Controllers LMC058<5.0.4.195.0.4.19

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict network access to the Modicon controllers to only authorized engineering and management workstations using firewall rules or network segmentation

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M241 firmware to version 5.3.12.48 or later using EcoStruxure Machine Expert v2.3 or EcoStruxure Automation Expert - Motion v24.1 Controller Assistant feature, then reboot the controller

HOTFIXUpdate Modicon M251 firmware to version 5.3.12.48 or later using EcoStruxure Machine Expert v2.3 or EcoStruxure Automation Expert - Motion v24.1 Controller Assistant feature, then reboot the controller

HOTFIXUpdate Modicon M258 firmware to version 5.0.4.19 or later using EcoStruxure Machine Expert Controller Assistant feature, then reboot the controller

HOTFIXUpdate Modicon LMC058 firmware to version 5.0.4.19 or later using EcoStruxure Machine Expert Controller Assistant feature, then reboot the controller

CVEs (1)

CVE-2025-2875

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4d864294-4353-4d6a-8be6-a51270d0fafc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.