EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and Modicon M340, M580 and M580 Safety PLCs

Plan Patch8.1SEVD-2024-044-01Feb 13, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple vulnerabilities exist in Modicon PLC firmware and EcoStruxure engineering software (CWE-924, CWE-798, CWE-522). The vulnerabilities allow remote attackers to gain unauthorized access to PLCs without authentication and execute commands that could deny service or compromise the confidentiality and integrity of the controller. Affected products include Modicon M340, M580, MC80, Momentum Unity M1E, and the engineering/DCS software EcoStruxure Control Expert and EcoStruxure Process Expert.

What this means

What could happen

An attacker with network access to these PLCs could run unauthorized commands on the controller, potentially stopping critical processes, altering setpoints, or disrupting control of power systems, water treatment, or manufacturing operations.

Who's at risk

Energy utilities (electric generation and distribution), water/wastewater treatment, and manufacturing facilities that use Schneider Electric Modicon M340, M580, MC80, or Momentum PLCs, or those that program/operate these systems via EcoStruxure Control Expert and Process Expert software. Water authorities and municipal electric utilities are particularly impacted if they rely on these PLCs for SCADA or process automation.

How it could be exploited

An attacker on the network can send crafted requests to the affected PLC or engineering software without authentication. If the PLC is reachable from the network (engineering LAN, or worse, connected to corporate network), the attacker can execute commands that alter or halt industrial processes.

Prerequisites

Network access to the PLC or engineering workstation running EcoStruxure Control/Process Expert
No valid credentials required
PLC must be on firmware version prior to the fixed versions listed

remotely exploitableno authentication requiredaffects industrial control systemshigh CVSS score (8.1)no patch available for M580 non-Safety and MC80no patch available for Momentum Unity M1E

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

4 with fix2 pending1 EOL

ProductAffected VersionsFix Status

Modicon Momentum Unity M1E Processor (171CBU*) All versionsAll versionsNo fix (EOL)

Modicon M340 CPU (part numbers BMXP34*)Versions prior to sv3.60SV3.60

Modicon M580 CPU (part numbers BMEP* and BMEH* excluding M580 CPU Safety)< SV4.20No fix yet

Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)< SV4.21SV4.21

EcoStruxure™ Control ExpertVersions prior to v16.0Version 16.0

EcoStruxure™ Process ExpertVersions prior to v2023Version 15.3 HF008

Modicon MC80 (part numbers BMKC80) All VersionsAll versionsNo fix yet

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGFor Modicon M580 CPU (non-Safety versions): Apply network segmentation to isolate PLCs from untrusted networks; Schneider Electric has not released a firmware patch for this product line

HARDENINGFor Modicon MC80 and Momentum Unity M1E: Apply network segmentation and firewall rules to restrict access to the controller; no vendor fix is available

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M340 CPU to firmware SV3.60 or later

HOTFIXUpdate Modicon M580 CPU Safety to firmware SV4.21 or later

HOTFIXUpdate EcoStruxure Control Expert to version 16.0 (or version 16.0 HF001 if using M580 CPU Safety)

HOTFIXUpdate EcoStruxure Process Expert to version 15.3 HF008 or later

HOTFIXReboot the computer after installation of EcoStruxure Control Expert updates is completed

CVEs (3)

CVE-2023-6408 CVE-2023-6409 CVE-2023-27975

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aecfb80d-3e96-4186-b48a-8547cb4edbc9