Schneider Electric Modicon M340 Controller and Communication Modules
Plan Patch7.5ICS-CERT ICSA-25-238-03Aug 12, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Schneider Electric Modicon M340 PACs and communication modules causes improper input validation (CWE-20). An attacker can send a specially crafted network packet to trigger a denial of service, making the controller or communication module unavailable. The Modicon M340 controller itself, M580 Global Data module, Ethernet/Serial RTU Module, and Modicon M340 X80 Ethernet Communication modules have no patches available. Only the BMXNOE0100 (Modbus/TCP Modicon M340 module) and BMXNOE0110 (Modbus/TCP FactoryCast module) have firmware fixes available.
What this means
What could happen
An attacker with network access to a Modicon M340 controller or communication module could send a specially crafted packet that causes the device to become unavailable, stopping all processes controlled by that PLC until it is rebooted.
Who's at risk
Water and electric utilities using Schneider Electric Modicon M340 PACs (Programmable Automation Controllers) and their communication modules for SCADA operations, including operators of Modbus/TCP Ethernet communication modules and M580 Global Data modules. This affects any facility running Modicon M340-based control systems for pump stations, substations, water treatment plants, or other critical processes.
How it could be exploited
An attacker on the network sends a malformed input packet to the Modicon M340 or its communication modules (Ethernet/Serial RTU, X80 Ethernet, Global Data, Modbus/TCP modules) on port 502 (Modbus) or the configured communication port. The device fails to properly validate the packet content, crashes, and becomes unresponsive to all requests.
Prerequisites
- Network access to the Modicon M340 controller or communication module on the Modbus/TCP port (typically port 502)
- No authentication required
- Device must be reachable from the attacker's network segment
Remotely exploitableNo authentication requiredLow complexity attackNo patch available for core M340 controller and most communication modulesAffects operational continuity
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (6)
2 with fix4 EOL
ProductAffected VersionsFix Status
Modbus/TCP Ethernet Modicon M340 module<3.603.60
Modbus/TCP Ethernet Modicon M340 FactoryCast module<6.806.80
Modicon M340 All versionsAll versionsNo fix (EOL)
Ethernet / Serial RTU Module All versionsAll versionsNo fix (EOL)
M580 Global Data module All versionsAll versionsNo fix (EOL)
Modicon M340 X80 Ethernet Communication modules All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGFor Modicon M340 controller, M580 Global Data module, Ethernet/Serial RTU Module, and X80 Ethernet Communication modules with no fix available, implement network access controls to restrict connections to these devices from untrusted network segments
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Modbus/TCP Ethernet Modicon M340 module
HOTFIXUpdate BMXNOE0100 (Modbus/TCP Ethernet Modicon M340 module) firmware to version 3.60 or later
Modbus/TCP Ethernet Modicon M340 FactoryCast module
HOTFIXUpdate BMXNOE0110 (Modbus/TCP Ethernet Modicon M340 FactoryCast module) firmware to version 6.80 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Modicon M340 All versions, Ethernet / Serial RTU Module All versions, M580 Global Data module All versions, Modicon M340 X80 Ethernet Communication modules All versions. Apply the following compensating controls:
HARDENINGPlace affected Modicon M340 systems on a dedicated, air-gapped industrial network or behind a firewall that blocks unsolicited inbound connections
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/76c18658-e95a-4492-9108-df3eefae4437