Schneider Electric Modicon M340 Controller and Communication Modules

Plan PatchCVSS 7.5ICS-CERT ICSA-25-238-03Aug 12, 2025

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Modicon M340 controllers and communication modules are vulnerable to a denial-of-service attack via malformed input validation. The vulnerability affects several communication modules: BMXNOE0100 (Modbus/TCP Ethernet M340 module), BMXNOE0110 (Modbus/TCP Ethernet M340 FactoryCast module), BMXNOC0401 (M340 X80 Ethernet Communication modules), BMXNOR0200H (M340 IEC 60870-5-101/104 DNP3 Communication Module), BMXNGD0100 (M580 Global Data module), and the Modicon M340 controller itself. Successful exploitation could result in loss of device availability and cessation of controlled processes.

What this means

What could happen

A denial-of-service vulnerability in Modicon M340 communication modules could allow an attacker to crash or freeze the controller, stopping your process operations until the device is manually rebooted.

Who's at risk

This vulnerability affects water and electric utilities using Schneider Electric Modicon M340 automation controllers, particularly those relying on Modbus/TCP communication modules (BMXNOE0100, BMXNOE0110) for remote monitoring or control. Any facility with these controllers networked for SCADA operations, pump control, or process automation is at risk.

How it could be exploited

An attacker on the network sends malformed Modbus/TCP packets to the communication module's Ethernet port. The module fails to validate the input properly and crashes, becoming unavailable and taking the attached PLC and its controlled processes offline.

Prerequisites

Network access to the Modicon M340 communication module's Ethernet port (typically port 502 for Modbus/TCP)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects availability/operationsno patch available for some modules

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (6)

2 with fix4 EOL

ProductAffected VersionsFix Status

Modbus/TCP Ethernet Modicon M340 module<3.603.60

Modbus/TCP Ethernet Modicon M340 FactoryCast module<6.806.80

Modicon M340 All versionsAll versionsNo fix (EOL)

Ethernet / Serial RTU Module All versionsAll versionsNo fix (EOL)

M580 Global Data module All versionsAll versionsNo fix (EOL)

Modicon M340 X80 Ethernet Communication modules All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to Modbus/TCP port 502 on Modicon M340 modules: allow only from engineering workstations and authorized control systems, deny from untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate BMXNOE0100 (Modbus/TCP Ethernet M340 module) to firmware version 3.60 or later

HOTFIXUpdate BMXNOE0110 (Modbus/TCP Ethernet M340 FactoryCast module) to firmware version 6.80 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Modicon M340 All versions, Ethernet / Serial RTU Module All versions, M580 Global Data module All versions, Modicon M340 X80 Ethernet Communication modules All versions. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate M340 controllers on a dedicated industrial network separate from general corporate IT traffic

CVEs (1)

CVE-2025-6625

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/76c18658-e95a-4492-9108-df3eefae4437

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.