Modicon PAC Controllers
Plan Patch7.5SEVD-2022-221-02Aug 9, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Modicon PAC Controllers (M340, M580, MC80, Momentum MDI, and legacy Quantum/Premium models) can cause memory-related errors leading to denial of service when processing Modbus TCP requests. The vulnerability affects multiple versions across Schneider Electric's PAC controller lineup, with legacy Quantum and Premium models having no fix available.
What this means
What could happen
An attacker could send specially crafted Modbus TCP commands to crash the PAC controller, causing a denial of service that stops process monitoring and control operations until the device is manually rebooted.
Who's at risk
Water authorities and municipal electric utilities operating Modicon PAC controllers for process automation and monitoring, including M340, M580, MC80, and Momentum MDI controllers. Legacy facilities using Modicon Quantum or Premium controllers are also affected but cannot be patched. Energy and manufacturing facilities relying on Modbus TCP-based control are at risk.
How it could be exploited
An attacker with network access to the Modbus TCP port (default 502) on the PAC controller sends malformed or specially crafted Modbus TCP messages. The controller processes these messages incorrectly due to a memory-related bug (integer underflow, likely CWE-191), triggering a crash or hang that stops the controller from responding to legitimate control commands.
Prerequisites
- Network access to Modbus TCP port 502 on the PAC controller
- No authentication required to send Modbus TCP commands on default configurations
remotely exploitableno authentication requiredlow complexityaffects industrial control operationslegacy products have no patch available
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (6)
5 with fix1 pending
ProductAffected VersionsFix Status
Modicon M340 CPU <=3.40≤ 3.403.50
Modicon M580 CPU <=3.22≤ 3.224.10
Modicon MC80 all versionsAll versions1.8
Modicon Momentum MDI CPU <=2.5≤ 2.52.6
Legacy Modicon Quantum /Premium all versionsAll versionsNo fix yet
Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)Versions prior to SV4.21<SV4.21SV4.21
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDFor legacy Modicon Quantum and Premium controllers with no patch available, restrict network access to Modbus TCP port 502 using firewall rules or network segmentation to limit exposure
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
HOTFIXUpdate Modicon M340 CPU to firmware version 3.50 or later
HOTFIXUpdate Modicon M580 CPU to firmware version 4.10 or later
HOTFIXUpdate Modicon MC80 to firmware version 1.8 or later
HOTFIXUpdate Modicon Momentum MDI CPU to firmware version 2.6 or later
HOTFIXUpdate Modicon M580 CPU Safety (BMEP58*S and BMEH58*S) to firmware version SV4.21 or later; ensure EcoStruxure Control Expert V16.0 HF001 or later is installed to maintain compatibility
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate PAC controllers on a separate industrial control network and restrict external access to Modbus TCP ports
HARDENINGDisable Modbus TCP on PAC controllers if it is not required for your operations, or restrict it to only authorized engineering workstations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a568b9b4-9827-496b-9407-b38342bdaca8