EcoStruxure™ Control Expert
Plan Patch8.8SEVD-2023-101-03Apr 11, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
EcoStruxure Control Expert contains multiple vulnerabilities leading to arbitrary code execution and privilege escalation. EcoStruxure Control Expert is the programming, debugging, and operating software for Modicon PLCs and PACs. Successful exploitation could result in denial of service, loss of confidentiality and integrity of the software.
What this means
What could happen
An attacker could execute arbitrary code on the engineering workstation running EcoStruxure Control Expert, potentially gaining the ability to modify PLC/PAC control logic, alter process parameters, or disable safety functions across connected industrial systems.
Who's at risk
Energy and manufacturing organizations using Modicon PLCs or PACs should prioritize this fix. Any facility relying on EcoStruxure Control Expert for PLC/PAC programming and configuration is at risk. This affects engineering teams, system integrators, and control system operators responsible for industrial automation systems.
How it could be exploited
An attacker could exploit these vulnerabilities through network access to the workstation running EcoStruxure Control Expert. User interaction (such as opening a malicious project file or visiting a compromised web resource) is required to trigger the vulnerability and allow code execution on the engineering workstation.
Prerequisites
- Network access to the engineering workstation running EcoStruxure Control Expert
- User interaction required (opening malicious project file or link)
- EcoStruxure Control Expert version prior to 16.0 must be installed
remotely exploitablerequires user interactionaffects engineering workstations controlling critical processesno patch available for versions before 16.0CVSS 8.8 (high severity)
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (1)
ProductAffected VersionsFix Status
EcoStruxure™ Control Expert <V16.0<V16.0Version 16.0
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate EcoStruxure Control Expert to Version 16.0 or later
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/17cbc5d1-511b-4190-8ea2-1ad7abb7667f