BadAlloc Vulnerabilities
Plan PatchCVSS 9.8SEVD-2021-313-05Nov 9, 2021
Schneider ElectricEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
BadAlloc vulnerabilities in memory allocation routines affect multiple Schneider Electric industrial control products. These vulnerabilities can result in denial of service or remote code execution depending on context. The affected products include HMI panels (Harmony/Magelis series), Modicon logic controllers (M241, M251, M262, M258, M340, M580, LMC series, Momentum, Quantum, Premium), MiCOM protective relays, Easergy power monitoring devices, Eurotherm temperature control and PAC systems, Pro-face operator terminals, PowerLogic energy meters, PacDrive controllers, HART communication modules, and various network communication modules. September 2025 update corrected affected versions for EPC2000, EPC3000, Eurotherm E+PLC400, Eycon 10/20, T2550 PAC, and T2750 PAC.
What this means
What could happen
Memory allocation vulnerabilities could allow remote attackers to crash devices or execute arbitrary commands without authentication, affecting HMI panels, PLCs, network modules, and power monitoring systems across industrial facilities.
Who's at risk
This impacts a broad range of Schneider Electric industrial automation products used in energy and manufacturing: HMI (Human-Machine Interface) panels from the Harmony/Magelis series, multiple Modicon programmable logic controllers (PLCs) including M240, M250, M260, M340, and M580 families, Easergy power management devices, Eurotherm temperature controllers and PAC systems, Pro-face operator interface terminals, PowerLogic energy meters, PacDrive motion controllers, MiCOM protection relays, and various network modules. Any facility using these devices for process control, power distribution, or monitoring is affected.
How it could be exploited
An attacker on the network could send specially crafted requests to vulnerable devices (HMI panels, Modicon/Easergy controllers, HART modules, Pro-face displays) to trigger improper memory allocation, causing a denial of service or enabling code execution with device privileges.
Prerequisites
- Network access to the device on the same network or reachable segment
- No credentials required
- Low complexity exploitation
Remotely exploitable without authenticationLow complexity exploitationAffects multiple critical control system components (PLCs, HMI, communication modules, safety systems)No patches available for numerous products (end-of-life legacy systems)High CVSS score (9.8 critical)
Exploitability
Some exploitation risk — EPSS score 1.3%
Affected products (83)
62 with fix21 pending
ProductAffected VersionsFix Status
Harmony/ Magelis HMIGTUX Series<6.2 SP11 Multi HotFix 46.2 SP11 Multi HotFix 4
Harmony/ Magelis HMIGK Series<6.2 SP11 Multi HotFix 46.2 SP11 Multi HotFix 4
HMISCU<6.2 SP126.2 SP12
HMISTU Series<6.3 SP16.3 SP1
MiCOM C264≥ B5.x|<B5.118≥ D1.x|<D1.92≥ D4.x|<D4.38≥ D5.x|<D5.25I≥ D6.x|<D6.18B5.118
Remediation & Mitigation
0/16
Do now
0/1HARDENINGRestrict network access to vulnerable devices by implementing firewall rules to limit connections from untrusted networks and unauthorized workstations
Schedule — requires maintenance window
0/14Patching may require device reboot — plan for process interruption
HMISCU
HOTFIXUpdate HMISCU to firmware version 6.2 SP12 or later
HMISTU Series
HOTFIXUpdate HMISTU Series to firmware version 6.3 SP1 or later
Modicon M340 CPU
HOTFIXUpdate Modicon M340 CPU to version 3.50 or later, and M340 Ethernet modules (BMXNOC0401 to 2.11, BMXNOE0100 to SV3.50, BMXNOE0110 to SV6.70, BMXNOR0200 to 1.7 IR24)
Modicon M580 CPU
HOTFIXUpdate Modicon M580 CPU to firmware version SV4.10 or later, and M580 Ethernet modules (BMENOC0301/0311 to SV2.21, BMENOC0321 to SV1.09)
MiCOM C264
HOTFIXUpdate MiCOM C264 controllers to the specified fixed versions based on firmware branch (B5.118 for B5.x; D1.92 for D1.x; D4.38 for D4.x; D5.25I for D5.x; D6.18 for D6.x)
Easergy P5
HOTFIXUpdate remaining affected products to their specified fixed versions: Easy Harmony ET6 to 1.2.1, Easy Harmony GXU to 1.2.1, MC80 to 1.8, HART X80 modules to SV1.5, RIO modules to specified versions, Easergy P5 to 01.401.101, TAC I/A Series to 4.10u1, SCD6000 RTU to SY-1101207_N, SAGE RTU C3414 to C3414-500-S02K5_P5, Versadac to 2.43
All products
HOTFIXUpdate Harmony/Magelis HMIGTUX, HMIGK, HMIGTU Series to firmware version 6.2 SP11 Multi HotFix 4 or later
HOTFIXUpdate Modicon M241, M251, M262, M258, LMC058 logic controllers to the specified fixed versions (M241/M251: >=5.1.9.34; M262: >=5.1.6.1; M258/LMC058: 5.0.4.18)
HOTFIXUpdate Easergy C5 to version 1.0.5 or later
HOTFIXUpdate Easergy MiCOM P30 devices to firmware version 675 or later (or 676.701 for P638 model)
HOTFIXUpdate Eurotherm devices: EPC2000 to 4.03, EPC3000 to 5.20, E+PLC400 to 1.4.0.0, Eycon 10/20 to 7.3, T2550 PAC to 8.2, T2750 PAC to 6.3, nanodac to 10.02
HOTFIXUpdate Pro-face HMI terminals to specified versions (SP-5B00/5B10/5B90, ST6000, ET6000 to 4.09.350; LT4000M to 4.09.450; GP4000/GP4000H to 4.09.400)
HOTFIXUpdate PowerLogic meters (ION7400, PM8000, ION9000) to version 3.1 or later
HOTFIXUpdate PacDrive logic controllers (Eco, Pro, Pro2) to version 1.66.5.1 or later
Long-term hardening
0/1HARDENINGIsolate devices with no patches available (Eurotherm E+PLC100, M580 CPU Safety, Momentum ENT, Quantum CPU, Premium CPU, PacDrive M, Profibus Remote Masters, BMXNGD0100, EPack, HMISTO5, LMC078, Pro-face GP series legacy models, Eurotherm 6100A/6180A/6100XIO/6180XIO, Eurotherm AeroDAQ, Easergy MiCOM P40) on segregated networks with restricted access
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/450abd9a-a454-4d20-b1a1-cde482b123a2Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.