Schneider Electric devices using CODESYS Runtime
Plan PatchCVSS 8.8ICS-CERT ICSA-26-020-02Jul 11, 2023
Schneider ElectricCODESYSEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities in CODESYS V3 runtime communication server affect many Schneider Electric products. These flaws (CWE-119, CWE-787, CWE-20 and others related to buffer overflows and input validation) can be exploited to cause denial of service or remote code execution on Modicon Controllers (M241, M251, M262, M258, LMC058, LMC078, M218), PacDrive 3 controllers, HMISCU controllers, Harmony HMI panels, and EcoStruxure Machine Expert embedded SoftSPS. Several older models (M258, LMC058, LMC078, M218, and older Harmony/Magelis lines) are end-of-life and will not receive patches.
What this means
What could happen
An attacker with network access could crash Modicon Controllers or run arbitrary commands on them, disrupting production processes or altering control logic. Several older controller models have no fix available.
Who's at risk
Water and electric utilities operating Schneider Electric Modicon Controllers (M241, M251, M262, M258, LMC058, LMC078, M218), PacDrive 3 controllers, HMISCU, Harmony HMI panels, and systems running EcoStruxure Machine Expert or Vijeo Designer. Any facility using these devices for pump control, pressure regulation, distribution automation, or process control should prioritize assessment.
How it could be exploited
An attacker on your network can send malicious packets to the CODESYS V3 communication server running on affected Schneider Electric controllers. If the attacker has valid engineering credentials, they could execute commands or crash the device; unauthenticated denial of service is also possible.
Prerequisites
- Network access to the CODESYS V3 communication server port on the controller
- Valid engineering credentials for remote code execution scenarios
- Device must be running one of the listed Schneider Electric products with embedded CODESYS runtime
Remotely exploitableNo authentication required for denial of serviceLow complexity exploitationHigh CVSS score (8.8)Multiple products have no fix available (end-of-life controllers)Affects process control devices
Exploitability
Some exploitation risk — EPSS score 5.8%
Affected products (19)
12 with fix1 pending6 EOL
ProductAffected VersionsFix Status
SoftSPS embedded in EcoStruxure™ Machine Expert All<2.22.2
Vijeo Designer embedded in EcoStruxure™ Machine Expert All<6.3.16.3.1
HMISCU Controller All<6.3.16.3.1
Modicon Controller M241 All<5.2.11.185.2.11.18
Modicon Controller M251 All<5.2.11.185.2.11.18
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDImplement network segmentation to restrict access to CODESYS communication ports (typically 11740 and 11741) from engineering workstations only; block from untrusted networks
HARDENINGDisable CODESYS V3 remote services if not needed for daily operations
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate Schneider Electric software via the Software Update (SESU) application: EcoStruxure Machine Expert to v2.2 (for Modicon M241/M251/M262 and PacDrive 3), Vijeo Designer to v6.3.1, and any other tools to their fixed versions
HOTFIXReboot all updated Modicon controllers and PacDrive devices after firmware updates are installed
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Modicon Controller LMC078 All Versions, Modicon Controller M258 All Versions, Modicon Controller LMC058 All Versions, Modicon Controller M218 All Versions, Magelis XBT series All Versions, Easy Harmony HMIET6/HMIFT6 Magelis HMIGXU all. Apply the following compensating controls:
HARDENINGMonitor network traffic to the affected controllers for unusual connection patterns
CVEs (37)
CVE-2022-4046CVE-2023-28355CVE-2022-47378CVE-2022-47379CVE-2022-47380CVE-2022-47381CVE-2022-47383CVE-2022-47386CVE-2022-47388CVE-2022-47389CVE-2022-47392CVE-2023-37546CVE-2023-37548CVE-2023-37550CVE-2023-37552CVE-2023-37554CVE-2023-37555CVE-2023-37557CVE-2023-37559CVE-2023-3662CVE-2023-3669CVE-2023-3670CVE-2022-47384CVE-2022-47385CVE-2022-47387CVE-2022-47390CVE-2022-47391CVE-2022-47393CVE-2023-3663CVE-2023-37545CVE-2023-37547CVE-2023-37549CVE-2023-37551CVE-2023-37553CVE-2023-37556CVE-2023-37558CVE-2022-47382
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d8fa40ad-cbdd-42a2-b1d6-b129f7f24cadGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.