Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (V2.0)

Plan PatchCVSS 7.5SEVD-2020-343-03Dec 8, 2020

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability exists in the embedded web server of Modicon M340, Modicon Quantum, and Modicon Premium controllers and their associated communication modules. The web server does not properly authenticate or validate requests, allowing an unauthenticated attacker with network access to execute commands on the controller. This could allow modification of control logic, process setpoints, or operational shutdown. Some product variants (Modicon Quantum 140NOE771x1, 140NOC78x00, 140NOC77101, and M340 CPUs) are end-of-life with no patches planned.

What this means

What could happen

An unauthenticated attacker with network access to the web server port could execute arbitrary commands on the controller, potentially altering process control logic, setpoints, or stopping operations. This affects availability and system integrity.

Who's at risk

Utilities and manufacturing facilities using Modicon M340, Modicon Premium, or Modicon Quantum programmable controllers for critical process control should assess their exposure. This affects anyone running these legacy Schneider Electric controllers in water treatment, power distribution, manufacturing, or other industrial automation environments where process integrity is essential.

How it could be exploited

An attacker sends a crafted request to the unprotected web server running on the Modicon controller (typically port 80 or 443). The web server does not properly validate input or enforce authentication, allowing the attacker to execute commands directly on the controller's operating system or control logic.

Prerequisites

Network access to the web server port on the affected Modicon controller (typically TCP 80/443)
No valid credentials required

remotely exploitableno authentication requiredlow complexityaffects process integrity and availabilityaffects industrial control systems

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (12)

8 with fix4 EOL

ProductAffected VersionsFix Status

Modicon M340 Ethernet Communication modules BMXNOE0100 (H)<3.33.3

Modicon M340 Ethernet Communication modules BMXNOE0110 (H)<6.53.3

Modicon M340 Ethernet Communication modules BMXNOC0401 (H)<2.103.3

Modicon Premium communication modules TSXETY4103<6.26.2

Modicon Premium communication modules TSXETY4103 prior to V6.4<6.46.2

Modicon Premium processors with integrated Ethernet COPRO<6.16.1

Modicon Quantum processors with integrated Ethernet COPRO 140CPU65xx0 prior to V6.1<6.16.1

Modicon X80 BMXNOR0200H RTU module BMXNOR200H<1.70 IR 231.70 IR 23

Remediation & Mitigation

0/9

Do now

0/2

WORKAROUNDImplement firewall rules to restrict network access to the web server port (80/443) on affected controllers to only authorized engineering workstations or maintenance staff

HARDENINGDisable the web server functionality if not operationally required, or place affected controllers on an isolated engineering network segment with restricted access

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Modicon M340 BMXNOE0100 communication module firmware to version 3.3 or later

HOTFIXUpgrade Modicon M340 BMXNOE0110 communication module firmware to version 6.5 or later

HOTFIXUpgrade Modicon M340 BMXNOC0401 communication module firmware to version 2.10 or later

HOTFIXUpgrade Modicon Premium TSXETY4103 communication module firmware to version 6.2 or later

HOTFIXUpgrade Modicon Premium processors with integrated Ethernet (COPRO) firmware to version 6.1 or later

HOTFIXUpgrade Modicon Quantum processors with integrated Ethernet (COPRO 140CPU65xx0) firmware to version 6.1 or later

HOTFIXUpgrade Modicon X80 BMXNOR0200H RTU module firmware to version 1.70 IR 23 or later

CVEs (2)

CVE-2020-7541 CVE-2020-7539

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8b368e84-d0b5-4198-b29b-76bfef570653

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.