OTPulse

Schneider Electric Modicon Controllers M241, M251, M258, and LMC058

MonitorCVSS 5.4ICS-CERT ICSA-26-078-02Mar 10, 2026
Schneider ElectricEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 contain cross-site scripting (XSS) and open redirect vulnerabilities in their web interfaces. Successful exploitation could allow an attacker with valid credentials to inject malicious code or craft redirects that steal user session tokens, potentially leading to account takeover and unauthorized modification of controller logic and machine parameters. M241 and M251 controllers have firmware fixes available (version 5.4.13.12), while M258 and LMC058 have no patch planned and must rely on network controls and operational mitigations.

What this means
What could happen
An attacker with valid credentials to the controller's web interface could perform cross-site scripting attacks to steal session tokens or redirect users to malicious sites, potentially leading to account takeover and unauthorized changes to machine logic or process parameters.
Who's at risk
Manufacturing and energy sector organizations using Schneider Electric Modicon M241, M251, M258, and LMC058 logic controllers are affected. These controllers are typically used in machine automation, process control, and plant monitoring systems. Organizations relying on web-based configuration or monitoring interfaces are at highest risk.
How it could be exploited
An attacker must first gain valid credentials for the controller's web interface (or trick a legitimate user into clicking a malicious link). The attacker then injects malicious JavaScript code or crafts a redirect URL in the web interface, which executes in the browser of any user accessing that page, allowing session hijacking or credential theft.
Prerequisites
  • Valid credentials to the controller's web interface
  • Network access to HTTP (port 80) or HTTPS (port 443)
  • User interaction required (victim must visit the controller web page or click a malicious link)
Requires valid credentialsRequires user interactionAffects logic controller web interfaceNo fix available for M258 and LMC058Low EPSS score (0.1%)
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (4)
2 with fix2 EOL
ProductAffected VersionsFix Status
Modicon Controllers M241< 5.4.13.125.4.13.12
Modicon Controllers M251< 5.4.13.125.4.13.12
Modicon Controllers M258All versionsNo fix (EOL)
Modicon Controllers LMC058All versionsNo fix (EOL)
Remediation & Mitigation
0/8
Do now
0/2
HARDENINGImplement firewall rules to block unauthorized access to ports 80 and 443 on all Modicon controllers from untrusted networks
WORKAROUNDDisable the web server on Modicon M258 and LMC058 controllers when not in active use
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M241 to firmware version 5.4.13.12 via EcoStruxure Machine Expert v2.5.0.1
HOTFIXUpdate Modicon M251 to firmware version 5.4.13.12 via EcoStruxure Machine Expert v2.5.0.1
HARDENINGEnforce strong password policies and ensure user management is enabled on all Modicon controllers
HARDENINGUse encrypted communication (HTTPS) for all access to controller web interfaces
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: Modicon Controllers M258, Modicon Controllers LMC058. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate controllers from public internet and untrusted networks
HARDENINGUse VPN for any required remote access to controllers
View full CISA ICS-CERT advisory
API: /api/v1/advisories/47265982-f9b3-41bf-9281-49f78a1960ab

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.