Schneider Electric Modicon Controllers M241, M251, M258, and LMC058
Monitor5.4ICS-CERT ICSA-26-078-02Mar 19, 2026
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Cross-site Scripting (XSS) and open redirect vulnerabilities in Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 web interfaces allow authenticated attackers to inject malicious scripts or redirect links. Successful exploitation could result in account takeover, credential theft, or execution of arbitrary code in an operator's browser. M241 and M251 are vulnerable in firmware versions prior to 5.4.13.12; M258 and LMC058 have no patch available from the vendor.
What this means
What could happen
An authenticated attacker could inject malicious scripts or redirect users through the controller's web interface, potentially leading to account takeover or unauthorized code execution in an operator's browser. This affects users who access the controller remotely or through untrusted networks.
Who's at risk
Manufacturing and energy sector operators who use Schneider Electric Modicon Controllers (M241, M251, M258, or LMC058) for machine automation or process control, especially those with remote engineering access or web-based monitoring interfaces.
How it could be exploited
An attacker with valid engineering workstation credentials accesses the Modicon controller's web interface (ports 80/443) and injects malicious JavaScript or a redirect URL into input fields. When an operator or engineer views the affected page, the script executes in their browser or they are redirected to a phishing site, allowing credential theft or session hijacking.
Prerequisites
- Valid engineering workstation credentials
- Network access to controller web interface on ports 80 or 443
- User interaction required: operator must view the crafted page in their browser
Remotely exploitable via web interfaceRequires valid credentials (reduces but does not eliminate risk)User interaction requiredNo patch available for M258 and LMC058 (end-of-life or no fix planned)Low EPSS score (0.1%) indicates low exploit probability
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
2 with fix2 EOL
ProductAffected VersionsFix Status
Modicon Controllers M241< 5.4.13.125.4.13.12
Modicon Controllers M251< 5.4.13.125.4.13.12
Modicon Controllers M258All versionsNo fix (EOL)
Modicon Controllers LMC058All versionsNo fix (EOL)
Remediation & Mitigation
0/8
Do now
0/3WORKAROUNDDisable the web server on M258 and LMC058 controllers when not actively needed
WORKAROUNDRestrict network access to controller web interface ports 80 and 443 using firewall rules; only allow connections from trusted engineering networks
HARDENINGEnable user management and enforce strong password policies on all affected controllers
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate Modicon M241 firmware to version 5.4.13.12 via EcoStruxure Machine Expert v2.5.0.1, then reboot the controller
HOTFIXUpdate Modicon M251 firmware to version 5.4.13.12 via EcoStruxure Machine Expert v2.5.0.1, then reboot the controller
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: Modicon Controllers M258, Modicon Controllers LMC058. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate Modicon controllers from untrusted or public networks
HARDENINGUse encrypted communication links (HTTPS) and VPN tunnels for any remote access to controllers
HARDENINGReview and apply Schneider Electric Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/47265982-f9b3-41bf-9281-49f78a1960ab