EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and Modicon M340, M580 and M580 CPU Safety
Plan Patch8.1SEVD-2023-010-06Jan 10, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Schneider Electric has identified authentication bypass vulnerabilities (CWE-294) in EcoStruxure Control Expert, EcoStruxure Process Expert, Modicon M340, M580, M580 CPU Safety, Modicon Momentum Unity M1E, and Modicon MC80. These programmable logic controllers and distributed control systems are susceptible to remote unauthorized access through malformed packets sent to the Ethernet interface without requiring valid credentials. Successful exploitation could allow an attacker to execute arbitrary commands, modify automation logic, or halt operations. The M580 and M580 CPU Safety have firmware patches available (sv4.20 and SV4.21 respectively). M340, the EcoStruxure software products, M1E, and MC80 have no announced fixes and must be protected through network access controls.
What this means
What could happen
An attacker with network access to a Modicon M340 or M580 PLC could bypass authentication and execute unauthorized commands on the controller, potentially altering process setpoints, stopping operations, or compromising safety functions. This could result in loss of operational control, unplanned shutdowns, or safety system compromise in critical infrastructure.
Who's at risk
Water utilities and electric power plants that use Schneider Electric Modicon PLCs and PACs, particularly those running M340 or M580 controllers for process automation or safety-critical functions. Also affects any facility using EcoStruxure Control Expert or EcoStruxure Process Expert for programming or managing these controllers. Energy and manufacturing sectors are most at risk.
How it could be exploited
An attacker sends specially crafted packets to the PLC's Ethernet port (port 502 or engineering service ports). Without proper authentication checks, the malformed requests allow the attacker to bypass credential verification and gain direct access to the controller's command interface. From there, the attacker can upload new logic, modify existing programs, or stop the PLC.
Prerequisites
- Network access to the PLC's Ethernet port (typically port 502 or engineering ports)
- No authentication required - vulnerability does not require valid credentials
- Attacker must craft specific packet structure (CWE-294: Improper Authentication)
Remotely exploitable over networkNo authentication requiredAffects safety systems (M580 CPU Safety)No patch available for multiple products (M340, Control Expert, Process Expert, M1E, MC80)High CVSS score (8.1)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (7)
2 with fix5 EOL
ProductAffected VersionsFix Status
EcoStruxure™ Process Expert All VersionsAll versionsNo fix (EOL)
Modicon M340 CPU all versionsAll versionsNo fix (EOL)
Modicon Momentum Unity M1E Processor all versionsAll versionsNo fix (EOL)
Modicon MC80 all versionsAll versionsNo fix (EOL)
Modicon M580 CPU<sv4.20sv4.20
Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)<SV4.21SV4.21
EcoStruxure™ Control Expert all versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDFor Modicon M340, EcoStruxure Control Expert, EcoStruxure Process Expert, Modicon Momentum Unity M1E, and Modicon MC80 (no fix available), restrict network access to the PLC's Ethernet ports using firewall rules or network segmentation - only allow connections from known engineering workstations or authorized networks
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
Modicon M580 CPU
HOTFIXUpdate Modicon M580 CPU (non-Safety) to firmware sv4.20 or later
HOTFIXUpdate Modicon M580 CPU Safety (BMEP58*S, BMEH58*S) to firmware SV4.21 or later
All products
HOTFIXIf updating M580 CPU Safety to SV4.21, also update EcoStruxure Control Expert to v16.0 HF001 or later to maintain compatibility
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: EcoStruxure™ Process Expert All Versions, Modicon M340 CPU all versions, Modicon Momentum Unity M1E Processor all versions, Modicon MC80 all versions, EcoStruxure™ Control Expert all versions. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate PLCs from untrusted networks using a demilitarized zone (DMZ) or air-gapped engineering network
HARDENINGMonitor and log all connections to PLC engineering ports for anomalous access patterns
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/833a0304-26b3-4d3a-88b7-636ee3df851c