OTPulse
FeedAboutContact

EcoStruxure™ Control Expert

Monitor5.5SEVD-2022-221-03Aug 9, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

EcoStruxure™ Control Expert versions 15.1 HF001 and earlier contain a buffer overflow vulnerability (CWE-119) that can cause the software to crash when processing malformed input. The software is used for programming, debugging, and operating Modicon M340, M580, M580S, Premium, Momentum, and Quantum PLC controllers. Failure to patch may result in denial of service to engineering and diagnostic tools during critical system management tasks.

What this means
What could happen
A crash in EcoStruxure™ Control Expert engineering software could interrupt configuration, programming, and monitoring of connected PLCs (M340, M580, Premium, Momentum, Quantum), potentially delaying system updates or emergency response during active plant operations.
Who's at risk
Energy sector organizations operating Schneider Electric Modicon M340, M580, M580S, Premium, Momentum, or Quantum PLCs should care about this vulnerability. Specifically, engineering teams and system integrators who use EcoStruxure™ Control Expert for programming and maintenance of these controllers are affected.
How it could be exploited
An attacker with local access to an engineering workstation running EcoStruxure™ Control Expert could trigger a buffer overflow by supplying malformed input through the software interface, causing the application to crash and denying the engineer access to control system configuration and debugging.
Prerequisites
  • Local access to engineering workstation running EcoStruxure™ Control Expert version 15.1 HF001 or earlier
  • User interaction required (engineer must open or interact with malicious input)
local access requireduser interaction requiredaffects engineering workstationslow EPSS score
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
EcoStruxure™ Control Expert≤ 15.1 HF00115.2
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure™ Control Expert to version 15.2 or later
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/4b704a12-94f3-4050-b0dd-8b877b503fe4