EcoStruxureTM Control Expert, EcoStruxureTM Process Expert, and Modicon Controllers M580 and M340

Act Now9.8SEVD-2022-221-01Aug 9, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, and Modicon M340/M580 controllers allows bypass of access controls, potentially enabling arbitrary code execution on affected industrial controllers. The vulnerability impacts the integrity and confidentiality of project files and control logic on affected devices. An attacker could exploit this to modify or disable industrial processes without proper authorization.

What this means

What could happen

An attacker could bypass access controls and execute arbitrary code on the PLC, allowing them to modify control logic, alter process setpoints, or stop plant operations without authorization.

Who's at risk

This vulnerability affects industrial automation engineers and plant operations staff at utilities and manufacturers using Schneider Electric's programmable logic controllers (PLCs) and engineering software. Specifically, any organization running Modicon M340 or M580 controllers, or using EcoStruxure Control Expert or Process Expert software for industrial process automation, should prioritize patching. Energy sector facilities are at highest risk.

How it could be exploited

An attacker with network access to an affected Modicon M340 or M580 controller, or to a workstation running EcoStruxure Control Expert or Process Expert, could exploit an access control bypass to upload malicious code to the device. This could allow remote execution of commands on the PLC that control industrial processes.

Prerequisites

Network access to the affected PLC or the engineering workstation running EcoStruxure software
No authentication required to exploit the access control bypass

Remotely exploitableNo authentication requiredLow complexity attackAffects industrial control systemsCritical severity (CVSS 9.8)High impact on confidentiality and integrityNo patch available for some Modicon M580 CPU variants

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (6)

4 with fix2 EOL

ProductAffected VersionsFix Status

EcoStruxure™ Control Expert <=15.0 SP1≤ 15.0 SP115.1

EcoStruxure™ Process Expert <2021<20212021

Modicon M340 CPU <=3.40≤ 3.403.50

Modicon M580 CPU Safety< SV4.21SV4.21

Modicon M580 CPU <=3.22≤ 3.22No fix (EOL)

Modicon M580 CPU Safety <SV4.10<SV4.10No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDFor Modicon M580 CPU (non-safety), apply available remediation from March 2023 update or isolate the device from untrusted network access using a firewall or air-gap until a fix is available

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Modicon M580 CPU Safety

HOTFIXUpdate Modicon M580 CPU Safety firmware to version SV4.21 or later if using safety functions

All products

HOTFIXUpdate EcoStruxure Control Expert to version 15.1 or later

HOTFIXUpdate EcoStruxure Process Expert to version 2021 or later

HOTFIXUpdate Modicon M340 CPU firmware to version 3.50 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Modicon M580 CPU <=3.22, Modicon M580 CPU Safety <SV4.10. Apply the following compensating controls:

HARDENINGFor Modicon M580 CPU Safety versions before SV4.10, implement network segmentation to restrict access to the controller until patching is possible

CVEs (1)

CVE-2022-37300

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b1d697fa-5359-491f-be96-a47dc3d9c05b