Modicon M100/M200/M221 controllers, SoMachine Basic and EcoStruxure Machine Expert - Basic Programming Software

Plan Patch8.2SEVD-2020-105-01Apr 14, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Vulnerability exists in improper validation of input files in SoMachine Basic and EcoStruxure Machine Expert - Basic programming software. When engineers open a specially crafted project file, malicious code can be injected into the Modicon M100/M200/M221 controller configuration. This allows an attacker to alter ladder logic, change process parameters, or disable safety functions without authentication. The vulnerability is triggered by opening a malicious file; no network-based code execution is possible. Schneider Electric has released patches for EcoStruxure (v1.0 SP2+) and latest firmware for the Modicon controllers, but SoMachine Basic has no patch available and is left unsupported.

What this means

What could happen

An attacker could exploit this vulnerability to inject malicious code into PLC ladder logic or parameters through a specially crafted file, potentially altering process setpoints, disabling safety interlocks, or stopping critical operations in water/electric plants. The attack requires user interaction but could affect multiple controllers in a facility.

Who's at risk

Water and electric utilities operating Schneider Electric Modicon M100, M200, or M221 programmable logic controllers should care about this vulnerability. Also relevant: engineering teams using SoMachine Basic or EcoStruxure Machine Expert - Basic software to configure these controllers. Any facility with automated process control, pump stations, substation controls, or safety interlocks using these devices is at risk.

How it could be exploited

An attacker creates a malicious project or configuration file (likely with a ".zip" or proprietary extension based on CWE-74: Improper Neutralization of Special Elements in Output) and tricks an engineer into opening it with SoMachine Basic or EcoStruxure Machine Expert. When the software parses the file, it executes embedded code that modifies the controller's ladder logic or configuration without validation, allowing changes to be downloaded to the PLC.

Prerequisites

Engineering workstation with SoMachine Basic or EcoStruxure Machine Expert installed
Valid credentials to access the software (no special privileges required)
Network connectivity from workstation to the affected PLC (Modicon M100/M200/M221)
User must open a malicious project file that has been delivered via email, USB, or file share

Remotely exploitable via network if engineering workstation is networkedRequires user interaction (opening malicious file)Low complexity attackAffects PLCs that run safety-critical operationsNo patch available for SoMachine Basic (all versions)High impact (can modify control logic and safety interlocks)

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (5)

4 with fix1 EOL

ProductAffected VersionsFix Status

EcoStruxure Machine Expert - Basic All Versionvers.all/*>=1.0 SP2

Modicon M100 Logic Controller All VersionAll versionsLatest Version

Modicon M200 Logic Controller All VersionAll versionsLatest Version

Modicon M221 Logic Controller All VersionAll versionsLatest Version

SoMachine Basic All VersionAll versionsNo fix (EOL)

Remediation & Mitigation

0/9

Do now

0/5

HARDENINGDisable 'Program' mode on all deployed Modicon controllers; set to 'Run' mode only

HARDENINGPlace physical locks on controller cabinets to prevent unauthorized access and mode changes

HARDENINGDo not connect engineering workstations running SoMachine Basic or programming software to any network other than the isolated control network

WORKAROUNDScan all removable media (USB drives, CDs) with antivirus before connecting to control networks

HARDENINGProhibit mobile devices that have connected to other networks from accessing control networks without proper sanitation and testing

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Machine Expert - Basic to version 1.0 SP2 or later

HOTFIXUpdate Modicon M100, M200, and M221 controllers to the latest firmware version available from Schneider Electric

Mitigations - no patch available

0/2

SoMachine Basic All Version has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate all control system networks from the business network using firewalls and air gaps

HARDENINGImplement network segmentation to minimize internet exposure of all Modicon controllers

CVEs (1)

CVE-2020-7489

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/66802081-e2c9-4d47-a173-d4bf30942b6c