Modicon Controllers, EcoStruxure™ Control Expert and Unity Pro Programming Software

Plan Patch8.2SEVD-2020-080-01Mar 20, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A code injection vulnerability exists in Schneider Electric's Modicon M340 and M580 programmable controllers and EcoStruxure Control Expert programming software. An attacker with network access to a vulnerable controller can inject malicious code through crafted project files, allowing arbitrary code execution on the controller. The vulnerability affects Modicon M340 firmware prior to V3.20, Modicon M580 firmware prior to V3.10, EcoStruxure Control Expert all versions prior to V15.0, and Unity Pro all versions. Researchers from Airbus Cybersecurity identified that similar vulnerabilities likely affect multiple other industrial automation vendors. Remediation requires updating firmware on controllers and software on engineering workstations, implementing application passwords, and implementing network segmentation to restrict access to port 502/TCP.

What this means

What could happen

An attacker with network access to a Modicon controller could inject malicious code into the controller's firmware through a crafted project file, potentially altering process setpoints, stopping critical operations, or causing unsafe process behavior.

Who's at risk

Electric utilities and manufacturing plants using Schneider Modicon M340 or M580 programmable logic controllers (PLCs) with EcoStruxure Control Expert or Unity Pro engineering software. Any organization relying on these controllers for process automation, power distribution control, or manufacturing sequences is affected.

How it could be exploited

An attacker obtains network access to the Modicon controller (typically port 502/TCP) and sends a specially crafted project file designed to exploit code injection vulnerabilities in the firmware update mechanism. The controller accepts and executes the malicious code without proper validation, allowing the attacker to alter or replace legitimate control logic.

Prerequisites

Network access to Modicon controller on port 502/TCP
Ability to send crafted project files to the controller
Controller firmware prior to patched versions

remotely exploitablenetwork access requiredaffects process control logicaffects multiple ICS vendorsunpatched versions in use may be common

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

EcoStruxure™ Control Expert all<15.0V15.0 or later

Modicon M340 all<3.20V3.20 or above

Unity Pro all versionsAll versionsNo fix (EOL)

Modicon M580 all<3.10V3.10 or above

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDImplement network segmentation and firewall rules to block unauthorized access to port 502/TCP on Modicon controllers

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Control Expert to version V15.0 or later on engineering workstations

HOTFIXUpdate Modicon M340 controller firmware to version V3.20 or above

HOTFIXUpdate Modicon M580 controller firmware to version V3.10 or above

HARDENINGSet up an application password in EcoStruxure Control Expert project properties

HOTFIXRebuild and transfer all projects to Modicon controllers after updating firmware versions

CVEs (1)

CVE-2020-7475

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a4e0537e-0434-49b7-a81e-9d99d26bbab2