Schneider Electric Modicon M340, BMXNOE0100, and BMXNOE0110

MonitorCVSS 6.5ICS-CERT ICSA-25-254-09Jun 11, 2024

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Vulnerability in Schneider Electric Modicon M340 programmable automation controllers and associated BMXNOE0100/BMXNOE0110 Ethernet network modules. An attacker with network access to FTP port 21/TCP can upload files without authentication if FTP service is enabled. This could prevent firmware updates and cause webserver malfunction. Core automation operations are not directly affected. Modbus/TCP Ethernet modules (BMXNOE0100 and BMXNOE0110) have been patched; remediation for base Modicon M340 is still under development.

What this means

What could happen

An attacker with FTP access to the network could upload unauthorized files to the Modicon M340 controller or Ethernet network modules, potentially affecting device configuration or webserver operation. This could prevent firmware updates and cause the webserver to malfunction, though core process control operations are not directly impacted.

Who's at risk

Energy utilities and infrastructure operators using Schneider Electric Modicon M340 programmable automation controllers (PACs) and their associated BMXNOE0100 or BMXNOE0110 Ethernet network modules. This affects any facility using these controllers for industrial automation, especially generation, transmission, or distribution operations.

How it could be exploited

An attacker on the network sends FTP commands to port 21/TCP on the Modicon M340 or BMXNOE0100/BMXNOE0110 module. If FTP is enabled (not the default), the attacker can upload files without authentication, potentially altering device configuration or webserver files. No user interaction is required.

Prerequisites

Network access to FTP port 21/TCP on the device
FTP service must be explicitly enabled (not default)
No credentials required

remotely exploitableno authentication requiredlow complexityFTP enabled non-default but possibleaffects webserver and firmware update capability

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

2 with fix1 EOL

ProductAffected VersionsFix Status

Modbus/TCP Ethernet Modicon M340 module<SV3.60SV3.60

Modbus/TCP Ethernet Modicon M340 FactoryCast module<SV6.80SV6.80

Modicon M340 All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDConfigure firewall rules to block all unauthorized access to FTP port 21/TCP on the Modicon M340 and network modules

WORKAROUNDDisable FTP service on the device if it is not actively required for remote management

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Modbus/TCP Ethernet Modicon M340 module

HOTFIXUpdate BMXNOE0100 (Modbus/TCP Ethernet Modicon M340 module) to version SV3.60 or later

Modbus/TCP Ethernet Modicon M340 FactoryCast module

HOTFIXUpdate BMXNOE0110 (Modbus/TCP Ethernet Modicon M340 FactoryCast module) to version SV6.80 or later

All products

HARDENINGConfigure Access Control List (ACL) following Schneider Electric's Modicon M340 Ethernet Communications Modules and Processors User Manual

Mitigations - no patch available

0/1

Modicon M340 All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate Modicon M340 controllers from business networks and internet access

CVEs (1)

CVE-2024-5056

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d7760ce1-d46d-4296-9deb-f81066492d3c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.