Schneider Electric devices using CODESYS Runtime

Plan Patch8.8ICS-CERT ICSA-26-020-02Jul 11, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in CODESYS V3 runtime communication server affect many Schneider Electric products. These flaws (CWE-119, CWE-787, CWE-20 and others related to buffer overflows and input validation) can be exploited to cause denial of service or remote code execution on Modicon Controllers (M241, M251, M262, M258, LMC058, LMC078, M218), PacDrive 3 controllers, HMISCU controllers, Harmony HMI panels, and EcoStruxure Machine Expert embedded SoftSPS. Several older models (M258, LMC058, LMC078, M218, and older Harmony/Magelis lines) are end-of-life and will not receive patches.

What this means

What could happen

An attacker with network access could crash Modicon Controllers or run arbitrary commands on them, disrupting production processes or altering control logic. Several older controller models have no fix available.

Who's at risk

Water and electric utilities operating Schneider Electric Modicon Controllers (M241, M251, M262, M258, LMC058, LMC078, M218), PacDrive 3 controllers, HMISCU, Harmony HMI panels, and systems running EcoStruxure Machine Expert or Vijeo Designer. Any facility using these devices for pump control, pressure regulation, distribution automation, or process control should prioritize assessment.

How it could be exploited

An attacker on your network can send malicious packets to the CODESYS V3 communication server running on affected Schneider Electric controllers. If the attacker has valid engineering credentials, they could execute commands or crash the device; unauthenticated denial of service is also possible.

Prerequisites

Network access to the CODESYS V3 communication server port on the controller
Valid engineering credentials for remote code execution scenarios
Device must be running one of the listed Schneider Electric products with embedded CODESYS runtime

Remotely exploitableNo authentication required for denial of serviceLow complexity exploitationHigh CVSS score (8.8)Multiple products have no fix available (end-of-life controllers)Affects process control devices

Exploitability

Moderate exploit probability (EPSS 4.4%)

Affected products (17)

10 with fix1 pending6 EOL

ProductAffected VersionsFix Status

HMISCU Controller All<6.3.16.3.1

Modicon Controller M241 All<5.2.11.185.2.11.18

Modicon Controller M251 All<5.2.11.185.2.11.18

Modicon Controller M262 All<5.2.8.125.2.8.12

PacDrive 3 Controllers: LMC Eco/Pro/Pro2 All<1.76.14.11.76.14.1

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement network segmentation to restrict access to CODESYS communication ports (typically 11740 and 11741) from engineering workstations only; block from untrusted networks

HARDENINGDisable CODESYS V3 remote services if not needed for daily operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Schneider Electric software via the Software Update (SESU) application: EcoStruxure Machine Expert to v2.2 (for Modicon M241/M251/M262 and PacDrive 3), Vijeo Designer to v6.3.1, and any other tools to their fixed versions

HOTFIXReboot all updated Modicon controllers and PacDrive devices after firmware updates are installed

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Modicon Controller LMC078 All Versions, Modicon Controller M258 All Versions, Modicon Controller LMC058 All Versions, Modicon Controller M218 All Versions, Magelis XBT series All Versions, Easy Harmony HMIET6/HMIFT6 Magelis HMIGXU all. Apply the following compensating controls:

HARDENINGMonitor network traffic to the affected controllers for unusual connection patterns

CVEs (37)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d8fa40ad-cbdd-42a2-b1d6-b129f7f24cad