Festo MSE6-C2M/D2M/E2M

Plan PatchCVSS 8.8ICS-CERT ICSA-25-324-04Sep 5, 2023

FestoManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Festo MSE6-C2M/D2M/E2M proportional solenoid valve controllers contain undocumented and incompletely documented test mode functions that are remotely accessible. These functions can be invoked by authenticated users to cause denial of service, loss of integrity, or malfunction of controlled processes. The underlying communication protocols do not meet current security standards. All versions of affected models are vulnerable; Festo has not released firmware patches and states the products are designed for sealed-off industrial networks only.

What this means

What could happen

An attacker with network access and valid credentials could exploit undocumented test mode functions in Festo MSE6 series automation controllers to cause denial of service, alter setpoints, or corrupt system integrity, disrupting production processes.

Who's at risk

Manufacturers and process facilities using Festo MSE6-C2M, MSE6-D2M, or MSE6-E2M series pneumatic proportional control systems in automated production lines, assembly systems, or other sealed industrial networks. Risk is highest in facilities where these controllers are connected to plant IT networks or where remote engineering access is enabled.

How it could be exploited

An attacker gains network access to an MSE6 controller (typically port 502 for Modbus/TCP or manufacturer proprietary ports). Using valid engineering or operator credentials (or discovering default credentials), the attacker can access remote executable test functions that are not fully documented. These functions can be invoked to halt operations, modify process parameters, or cause system faults.

Prerequisites

Network reachability to the MSE6 controller on its active service port
Valid engineering workstation credentials or operator credentials for the device
Knowledge of the undocumented test mode command syntax (not publicly disclosed)

remotely exploitablerequires valid credentials (low barrier if defaults exist)no patch availableaffects automated production control systemsprotocols do not meet current security standards

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (24)

13 pending11 EOL

ProductAffected VersionsFix Status

MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGDAll versionsNo fix yet

MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L5-AGDAll versionsNo fix yet

MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L4-MQ1-AGDAll versionsNo fix yet

MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L5-MQ1-AGDAll versionsNo fix yet

MSE6-C2M-5000-FB44-D-M-RG-BAR-AMI-AGDAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGImplement network segmentation: isolate MSE6 controllers on a dedicated industrial network with firewall rules that block all inbound access from business networks and the internet

HARDENINGEnable authentication and access control on all MSE6 devices; review and enforce strong password policies for engineering workstation and operator accounts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote engineering access is required, deploy a VPN gateway with multi-factor authentication and maintain current VPN firmware

HARDENINGReview updated Festo documentation (FSA-202304) to understand the full scope of remote-accessible functions and their legitimate use cases

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGD vers:all/*, MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L5-AGD vers:all/*, MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L4-MQ1-AGD vers:all/*, MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L5-MQ1-AGD vers:all/*, MSE6-C2M-5000-FB44-D-M-RG-BAR-AMI-AGD vers:all/*, MSE6-C2M-5000-FB44-D-RG-BAR-AMI-AGD vers:all/*, MSE6-E2M-5000-FB13-AGD vers:all/*, MSE6-E2M-5000-FB36-AGD vers:all/*, MSE6-E2M-5000-FB37-AGD vers:all/*, MSE6-E2M-5000-FB43-AGD vers:all/*, MSE6-E2M-5000-FB44-AGD vers:all/*. Apply the following compensating controls:

HARDENINGMonitor MSE6 devices for unauthorized remote access attempts and unusual command activity using network intrusion detection if available

CVEs (1)

CVE-2023-3634

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/46ca986a-6943-497d-91b1-5d626bba722b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.