EcoStruxure™ OPC UA Server Expert and EcoStruxure™ Modicon Communication Server

Plan Patch7.5SEVD-2025-287-01Oct 14, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in EcoStruxure™ OPC UA Server Expert that could result in loss of real-time process data from Modicon controllers connected through the OPC UA communication platform. The vulnerability is due to improper resource management (CWE-770). EcoStruxure™ Modicon Communication Server has the same root cause but no fix is planned for that product.

What this means

What could happen

An attacker could crash the OPC UA server, causing loss of real-time visibility into PLC status and process data flowing to IIoT and SCADA systems. This could prevent operators from monitoring or responding to process anomalies.

Who's at risk

Water and power utilities operating Modicon PLCs with EcoStruxure™ OPC UA Server Expert for real-time data collection and IIoT integration are affected. This includes any facility using the OPC UA gateway to bridge legacy Modicon controllers to modern SCADA, historian, or cloud IIoT platforms. EcoStruxure™ Modicon Communication Server affects sites integrating Modicon PLCs with Aveva System Platform.

How it could be exploited

An attacker with network access to the OPC UA server port could send specially crafted requests that exhaust server resources (memory or connections), triggering a denial of service. No authentication is required. The attacker does not need valid credentials or legitimate client access; the vulnerability can be triggered by any network client.

Prerequisites

Network reachability to the OPC UA server port (default port 4840)
No authentication required
Ability to send OPC UA protocol packets

remotely exploitableno authentication requiredlow complexityhigh CVSS score (7.5)no patch available for Modicon Communication Serveraffects data visibility in real-time operations

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

EcoStruxure™ OPC UA Server Expert<SV2.01 SP3SV2.01 SP3

EcoStruxure™ Modicon Communication Server All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDFor EcoStruxure™ Modicon Communication Server (no patch available), implement network-layer access controls: restrict OPC UA port access to only authorized engineering workstations and SCADA/IIoT systems using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

EcoStruxure™ OPC UA Server Expert

HOTFIXUpgrade EcoStruxure™ OPC UA Server Expert to version SV2.01 SP3 or later

Mitigations - no patch available

0/2

EcoStruxure™ Modicon Communication Server All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the OPC UA server onto a dedicated industrial DMZ or control network; prevent untrusted networks from directly reaching the server

HARDENINGMonitor OPC UA server resource usage (memory, connection count) for anomalous spikes that may indicate an attack in progress

CVEs (1)

CVE-2024-10085

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d0dc1933-5afd-4958-af8b-9446a8492179