Modicon Controllers

Monitor5.9SEVD-2019-281-02Sep 26, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple vulnerabilities exist in Schneider Electric Modicon Controllers affecting authentication and encryption on the FTP service. The issues relate to weak password handling and improper access control (CWE-755, CWE-319) on FTP port 21/TCP. An attacker with network access to the FTP service could potentially upload unauthorized firmware or files to the controller, affecting normal operation. Modicon M580 and M580 CPU Safety models have firmware patches available. Modicon M340 firmware version 3.50 includes a fix, but BMxCRA and 140CRA communication modules have no fix currently available. Mitigations include blocking FTP access via firewall, disabling FTP service when not needed, and changing default FTP credentials.

What this means

What could happen

An attacker could access the controller's FTP service without proper authentication, potentially stopping operations or corrupting the program running on the Modicon controller. This could disrupt water treatment, power distribution, or other critical processes depending on how the device is programmed.

Who's at risk

Water and electric utilities operating Schneider Electric Modicon M580, M340, or BMxCRA/140CRA controllers. These devices are commonly used as programmable logic controllers (PLCs) for process control in water treatment plants, pump stations, and electrical distribution systems. Any facility relying on these controllers for critical operational control is affected.

How it could be exploited

An attacker with network access to the controller would connect to the FTP service on port 21/TCP. By exploiting authentication or encryption weaknesses (CWE-319, CWE-755), the attacker could upload malicious firmware or files to overwrite the controller's program or configuration, causing operational disruption.

Prerequisites

Network access to port 21/TCP (FTP) on the controller
Controller running vulnerable firmware version
FTP service enabled (default)

remotely exploitableno authentication required for exploitationaffects critical process controllersno patch available for M340 and BMxCRA/140CRA modules

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (6)

4 with fix2 EOL

ProductAffected VersionsFix Status

Modicon M580 All versionsAll versions4.10

Modicon M580 CPU Safety (part numbers BMEP58*S & BMEH58*S)<SV4.21SV4.21

Modicon M580 prior to 4.10<4.104.10

Modicon M580 prior to 4.02<4.024.10

Modicon M340 All versionsAll versionsNo fix (EOL)

Modicon BMxCRA and 140CRA modules All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDBlock all unauthorized access to port 21/TCP (FTP) using network segmentation and firewall rules

WORKAROUNDDisable the FTP service on controllers when not in active use for firmware updates or configuration changes

WORKAROUNDChange default FTP password using Unity/Control Expert in Project Properties > Protection menu

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M580 firmware to version 4.10 or later

HOTFIXUpdate Modicon M580 CPU Safety firmware to version SV4.21 or later and update EcoStruxure Control Expert to V16.0 HF001 or later

HOTFIXUpdate Modicon M340 firmware to version 3.50 or later

CVEs (6)

CVE-2019-6841 CVE-2019-6842 CVE-2019-6843 CVE-2019-6844 CVE-2019-6847 CVE-2019-6846

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a272063f-579e-4dcd-95e2-998c650c698c