OTPulse
FeedAboutContact

Festo MSE6-C2M/D2M/E2M

Plan Patch8.8ICS-CERT ICSA-25-324-04Sep 5, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Festo MSE6-C2M/D2M/E2M proportional solenoid valve controllers contain undocumented and incompletely documented test mode functions that are remotely accessible. These functions can be invoked by authenticated users to cause denial of service, loss of integrity, or malfunction of controlled processes. The underlying communication protocols do not meet current security standards. All versions of affected models are vulnerable; Festo has not released firmware patches and states the products are designed for sealed-off industrial networks only.

What this means
What could happen
An attacker with network access and valid credentials could exploit undocumented test mode functions in Festo MSE6 series automation controllers to cause denial of service, alter setpoints, or corrupt system integrity, disrupting production processes.
Who's at risk
Manufacturers and process facilities using Festo MSE6-C2M, MSE6-D2M, or MSE6-E2M series pneumatic proportional control systems in automated production lines, assembly systems, or other sealed industrial networks. Risk is highest in facilities where these controllers are connected to plant IT networks or where remote engineering access is enabled.
How it could be exploited
An attacker gains network access to an MSE6 controller (typically port 502 for Modbus/TCP or manufacturer proprietary ports). Using valid engineering or operator credentials (or discovering default credentials), the attacker can access remote executable test functions that are not fully documented. These functions can be invoked to halt operations, modify process parameters, or cause system faults.
Prerequisites
  • Network reachability to the MSE6 controller on its active service port
  • Valid engineering workstation credentials or operator credentials for the device
  • Knowledge of the undocumented test mode command syntax (not publicly disclosed)
remotely exploitablerequires valid credentials (low barrier if defaults exist)no patch availableaffects automated production control systemsprotocols do not meet current security standards
Affected products (12)
1 pending11 EOL
ProductAffected VersionsFix Status
MSE6-D2M-5000-CBUS-S-RG-BAR- VCB-AGD vers:all/*All versionsNo fix yet
MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGD vers:all/*All versionsNo fix (EOL)
MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L5-AGD vers:all/*All versionsNo fix (EOL)
MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L4-MQ1-AGD vers:all/*All versionsNo fix (EOL)
MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L5-MQ1-AGD vers:all/*All versionsNo fix (EOL)
MSE6-C2M-5000-FB44-D-M-RG-BAR-AMI-AGD vers:all/*All versionsNo fix (EOL)
MSE6-C2M-5000-FB44-D-RG-BAR-AMI-AGD vers:all/*All versionsNo fix (EOL)
MSE6-E2M-5000-FB13-AGD vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGImplement network segmentation: isolate MSE6 controllers on a dedicated industrial network with firewall rules that block all inbound access from business networks and the internet
HARDENINGEnable authentication and access control on all MSE6 devices; review and enforce strong password policies for engineering workstation and operator accounts
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote engineering access is required, deploy a VPN gateway with multi-factor authentication and maintain current VPN firmware
HARDENINGReview updated Festo documentation (FSA-202304) to understand the full scope of remote-accessible functions and their legitimate use cases
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGD vers:all/*, MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L5-AGD vers:all/*, MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L4-MQ1-AGD vers:all/*, MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L5-MQ1-AGD vers:all/*, MSE6-C2M-5000-FB44-D-M-RG-BAR-AMI-AGD vers:all/*, MSE6-C2M-5000-FB44-D-RG-BAR-AMI-AGD vers:all/*, MSE6-E2M-5000-FB13-AGD vers:all/*, MSE6-E2M-5000-FB36-AGD vers:all/*, MSE6-E2M-5000-FB37-AGD vers:all/*, MSE6-E2M-5000-FB43-AGD vers:all/*, MSE6-E2M-5000-FB44-AGD vers:all/*. Apply the following compensating controls:
HARDENINGMonitor MSE6 devices for unauthorized remote access attempts and unusual command activity using network intrusion detection if available
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/46ca986a-6943-497d-91b1-5d626bba722b
Festo MSE6-C2M/D2M/E2M | CVSS 8.8 - OTPulse