Modicon PLCs (Programmable Logic Controllers) and PACs (Programmable Automation Controllers)

Plan PatchCVSS 7.5SEVD-2023-101-05Apr 11, 2023

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric has identified multiple denial of service vulnerabilities in Modicon PLCs and PACs (M340, M580, M580 Safety, Momentum Unity M1E, MC80, Premium, and Quantum CPUs) that can cause the controller CPU to stop processing control logic. The vulnerability is triggered by sending a specially crafted request to the controller and requires no authentication. Exploitation would halt all automation and process control operations until the device is manually recovered. Several legacy product lines (Premium and Quantum) have no firmware patch available from the vendor.

What this means

What could happen

A denial of service attack could stop the Modicon PLC/PAC from executing control logic, disrupting operations at power plants, water treatment facilities, or manufacturing lines that depend on these controllers to maintain safety and process continuity.

Who's at risk

Organizations operating Schneider Modicon PLCs and PACs in energy generation, power distribution, water treatment, manufacturing, and other critical infrastructure. Specifically affects water utilities and electric utilities running M340, M580, M580 Safety, Momentum Unity M1E, MC80, Premium, or Quantum CPU modules.

How it could be exploited

An attacker with network access to the PLC's communication port (typically Ethernet or serial) could send a specially crafted request that causes the CPU to stop responding or restart, halting the execution of all automation logic and process control until the device is manually recovered.

Prerequisites

Network access to the Modicon PLC communication port (port 502 for Modbus TCP or equivalent serial access)
No authentication required to send the malicious request

remotely exploitableno authentication requiredlow complexityaffects critical control operationslegacy versions have no patch available

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (7)

5 with fix2 EOL

ProductAffected VersionsFix Status

Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)< SV4.21SV4.21

Modicon Momentum Unity M1E Processor all<sv2.70SV2.70

Modicon M340 CPU< SV3.51SV3.51

Modicon M580 CPU<4.10SV4.10

Modicon MC80<SV2.0SV2.0

Legacy Modicon Premium CPUs all versionsAll versionsNo fix (EOL)

Legacy Modicon Quantum all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDImplement network segmentation or firewall rules to restrict network access to Modicon M340, M580, MC80, Premium, and Quantum CPUs to only authorized engineering and control network segments

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Modicon M340 CPU

HOTFIXUpdate Modicon M340 CPU to firmware version SV3.51 or later

Modicon M580 CPU

HOTFIXUpdate Modicon M580 CPU to firmware version SV4.10 or later

HOTFIXUpdate Modicon M580 CPU Safety (BMEP58*S and BMEH58*S) to firmware version SV4.21 or later, and install EcoStruxure Control Expert V16.0 HF001 minimum on engineering workstations

Modicon MC80

HOTFIXUpdate Modicon MC80 to firmware version SV2.0 or later

All products

HOTFIXUpdate Modicon Momentum Unity M1E Processor to firmware version SV2.70 or later

CVEs (2)

CVE-2023-25619 CVE-2023-25620

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/200da5e1-8da9-4c07-a3eb-6ae52de92750

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.