Wind River VxWorks DHCP Server Vulnerability

Act Now9.8SEVD-2025-014-03Jan 14, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the VxWorks DHCP server embedded in Schneider Electric Modicon M580 and Quantum communication modules allows a stack overflow attack. Exploitation could result in loss of confidentiality, integrity, and denial of service on the affected communication modules (BMENOC0321, BMECRA31210, BMXCRA31200, BMXCRA31210, 140CRA31200, 140CRA31908).

What this means

What could happen

A stack overflow in the VxWorks DHCP server embedded in communication modules could allow an attacker to execute arbitrary code and fully compromise the device, disrupting communication between controllers and field devices and potentially affecting process control operations.

Who's at risk

Owners of Modicon M580 and Quantum programmable logic controllers using Schneider Electric communication modules (BMENOC0321, BMECRA31210, BMXCRA31200, BMXCRA31210, 140CRA31200, 140CRA31908) should apply patches. These modules handle communication between the controller and remote I/O devices; compromise could disrupt entire production lines or utility operations.

How it could be exploited

An attacker sends a crafted DHCP packet over the network to the communication module's DHCP server. The stack overflow allows the attacker to overwrite memory and execute arbitrary code on the module, gaining control over communications and potentially altering or stopping command delivery to PLCs.

Prerequisites

Network access to the communication module's network interface
Ability to send DHCP packets to the module

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects process communication

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

Modicon M580 communication modules BMENOC0321<SV1.10SV1.10

Modicon M580 communication modules BMECRA31210<SV02.80SV02.80

Modicon M580/Quantum communication modules BMXCRA31200<SV02.80SV02.80

Modicon M580/Quantum communication modules BMXCRA31210<SV02.80SV02.80

Modicon Quantum communication modules 140CRA31200<02.8002.80

Modicon Quantum communication module 140CRA31908<02.8002.80

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to communication module DHCP ports using firewall rules; only allow DHCP traffic from trusted network segments

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Modicon M580/Quantum communication modules BMXCRA31200

HOTFIXUpgrade Modicon M580/Quantum communication modules BMXCRA31200 and BMXCRA31210 to firmware version SV02.80 or later

Modicon Quantum communication modules 140CRA31200

HOTFIXUpgrade Modicon Quantum communication modules 140CRA31200 and 140CRA31908 to firmware version 02.80 or later

All products

HOTFIXUpgrade Modicon M580 communication module BMENOC0321 to firmware version SV1.10 or later

HOTFIXUpgrade Modicon M580 communication module BMECRA31210 to firmware version SV02.80 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate communication modules from untrusted network sources

CVEs (1)

CVE-2021-29999

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ea6544f3-00df-4a60-8d59-adfebc8e3208