Embedded FTP Servers for Modicon PAC Controllers

Plan Patch8.1SEVD-2018-081-01Mar 22, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple vulnerabilities exist in the embedded FTP servers of Modicon PAC controllers (M340, M580, M580 CPU Safety, RTU BMXNOR0200H, and X80 Ethernet Communication Module). These vulnerabilities allow unauthorized access to the FTP service running on port 21/TCP without proper authentication or encryption. Affected controllers use weak credentials, insufficient access controls, and unencrypted file transfer protocols. The vulnerabilities (CWE-522 weak password storage, CWE-798 hardcoded credentials, CWE-327 weak cryptography) could allow an attacker to access, modify, or delete controller configurations and firmware. Legacy Modicon Premium and Quantum controllers are affected but will not receive patches.

What this means

What could happen

An attacker with network access to the FTP port could gain unauthorized access to a Modicon PAC controller, allowing them to read or modify controller configuration, firmware, and programs—potentially disrupting critical industrial operations like power generation, water treatment, or manufacturing processes.

Who's at risk

Water authorities, electric utilities, and manufacturing facilities using Schneider Electric Modicon PAC controllers (M340, M580, M580 CPU Safety, RTU BMXNOR0200H, X80 Ethernet Communication Module). Also affects legacy Modicon Premium and Quantum controllers for which no patches are available. Any organization using these controllers for SCADA, process control, or distributed intelligence applications should prioritize remediation.

How it could be exploited

An attacker on the same network segment as a Modicon PAC probes port 21/TCP for the embedded FTP service. If found and FTP is enabled (default), the attacker exploits weak or default credentials to authenticate to the FTP server, then downloads or modifies controller firmware, programs, or configuration files to alter process behavior or deny service.

Prerequisites

Network access to port 21/TCP on the controller
FTP service enabled on the target controller (enabled by default)
Knowledge of or ability to guess weak/default FTP credentials
Network path from attacker's position to controller segment

remotely exploitableno authentication required (weak/default credentials)low complexityaffects safety systems (M580 CPU Safety variant)high impact to confidentiality and integrityno fix available for legacy Modicon Premium and QuantumFTP enabled by default

Exploitability

Moderate exploit probability (EPSS 7.0%)

Affected products (10)

9 with fix1 EOL

ProductAffected VersionsFix Status

Modicon M340 <3.50<3.503.50

Modicon M580 <SV4.10<SV4.10SV4.10

Modicon M580 CPU Safety (part numbers BMEP58*S & BMEH58*S)<SV4.21SV4.21

Modicon RTU BMXNOR0200H <V1.7 IR24<V1.7 IR24V1.7 IR24

Modicon X80 Ethernet Communication Module <V2.11<V2.11V2.11

Modicon X80 Ethernet Communication Module All VersionsAll VersionsV2.11

Modicon M340 <=V3.40≤ V3.403.50

Modicon M340 V3.50V3.503.50

Remediation & Mitigation

0/9

Do now

0/3

WORKAROUNDImplement network segmentation and configure firewall rules to block all unauthorized access to FTP port 21/TCP on affected controllers

WORKAROUNDDisable the FTP service on all Modicon controllers when not actively needed for maintenance or file transfer tasks

WORKAROUNDConfigure Access Control Lists (ACLs) to restrict FTP access (port 21/TCP) to authorized IP addresses only

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M340 to firmware version 3.50 or later

HOTFIXUpdate Modicon M580 to firmware version SV4.10 or later

HOTFIXUpdate Modicon M580 CPU Safety (BMEP58*S, BMEH58*S) to firmware version SV4.21 or later

HOTFIXUpdate Modicon RTU BMXNOR0200H to firmware version V1.7 IR24 or later

HOTFIXUpdate Modicon X80 Ethernet Communication Module to firmware version V2.11 or later

Mitigations - no patch available

0/1

Legacy Modicon Premium and Quantum All Versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEnable and verify memory protection on Modicon M580 CPUs by configuring the memory protection input bit to a physical input as detailed in the Modicon Controllers Platform Cyber Security Reference Manual

CVEs (4)

CVE-2018-7240 CVE-2018-7241 CVE-2011-4859 CVE-2018-7242

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ea875ed1-8de9-4a81-a3a2-9bf87ba29784