Schneider Electric Modicon Controllers (Update A)
Monitor6.5ICS-CERT ICSA-25-175-03Jun 10, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities in Schneider Electric Modicon Controllers M241, M251, M258, M262, and LMC058. These Programmable Logic Controllers (PLCs) are affected by Cross-Site Scripting (CWE-79), Improper Input Validation (CWE-20), and Uncontrolled Resource Consumption (CWE-400) vulnerabilities that could lead to denial of service or uncontrolled resource consumption, resulting in loss of controller availability.
What this means
What could happen
An attacker with network access to a vulnerable controller could trigger a denial-of-service condition or cause uncontrolled resource consumption, making the PLC unresponsive and disrupting critical manufacturing or energy processes controlled by that device.
Who's at risk
Organizations operating Schneider Electric Modicon micro-PLCs (M241, M251, M258, M262) or motion controllers (LMC058) in energy and manufacturing sectors—including water utilities, electrical substations, pump stations, and production lines—should assess their exposure to these vulnerabilities.
How it could be exploited
An attacker with login credentials and network access to the controller's management interface could send specially crafted input that exploits the input validation, cross-site scripting, or resource consumption flaws. This causes the controller to exhaust resources (CPU, memory) or crash, rendering it unavailable until manual restart.
Prerequisites
- Network access to the Modicon Controller's IP address (typically port 80/443 or proprietary management port)
- Valid engineering workstation or controller management credentials
- Knowledge of the controller's web interface or management protocol
No patch available for M258 and LMC058Low EPSS score (0.1%) but affects critical infrastructure devicesRequires authentication but impacts device availabilityLow complexity attack
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (5)
3 with fix2 EOL
ProductAffected VersionsFix Status
Modicon Controllers M251<5.3.12.515.3.12.51
Modicon Controllers M262<5.3.9.185.3.9.18
Modicon Controllers M258 All versionsAll versionsNo fix (EOL)
Modicon Controllers LMC058 All versionsAll versionsNo fix (EOL)
Modicon Controllers M241<5.3.12.515.3.12.51
Remediation & Mitigation
0/6
Do now
0/2HARDENINGFor M258 and LMC058 controllers with no available patches, implement network-level access controls to restrict management interface access to authorized engineering workstations only
HARDENINGEnforce strong authentication on controller management accounts and disable default credentials if present
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate Modicon M241 firmware to version 5.3.12.51 or later using EcoStruxure Automation Expert – Motion v24.1 or EcoStruxure Machine Expert v2.3 via the Controller Assistant feature
HOTFIXUpdate Modicon M251 firmware to version 5.3.12.51 or later using EcoStruxure Automation Expert – Motion v24.1 or EcoStruxure Machine Expert v2.3 via the Controller Assistant feature
HOTFIXUpdate Modicon M262 firmware to version 5.3.9.18 or later using EcoStruxure Automation Expert – Motion v24.1 or EcoStruxure Machine Expert v2.3 via the Controller Assistant feature
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Modicon Controllers M258 All versions, Modicon Controllers LMC058 All versions. Apply the following compensating controls:
HARDENINGSegment Modicon Controllers on a dedicated industrial network isolated from office IT networks and internet-facing systems
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9b865645-f484-41c8-9c16-5c504d27f29f