Multiple critical security vulnerabilities in Schneider Electric Modicon Controllers
Take action: This advisory impacts a lot of products. If you are using Schneider Electric Modicon controllers, review the advisory in detail. As usual, your first action is to make sure the devices are isolated from the internet and accessible only from trusted networks. Then, if patches are available, plan a patch cycle. Otherwise if no patches are available, do a proper risk assessment whether you'll keep the devices with incurred risk or will you phase them out and replace them.
Learn More
Schneider Electric is reporting multiple critical security vulnerabilities affecting their Modicon series of programmable logic controllers (PLCs).
The security advisory details 22 distinct vulnerabilities affecting the Modicon product line. The vulnerabilities spans a wide range of security issues, including trust boundary violations, uncaught exceptions, information exposure, authentication bypass, improper access control, and out-of-bounds read vulnerabilities.
Successful exploitation of these vulnerabilities could allow an attacker to execute unsolicited commands on the PLC, potentially resulting in loss of controller availability or, in the most severe cases, complete system compromise.
The most critical vulnerabilities include:
- CVE-2019-6808 (CVSS v3: 10.0, CVSS v4: 10.0): An uncaught exception vulnerability that could cause remote code execution by overwriting configuration settings over Modbus
- CVE-2018-7847 (CVSS v3: 9.8, CVSS v4: 9.3): An improper access control vulnerability that could cause denial-of-service or potential code execution by overwriting controller configuration settings
- CVE-2018-7850 (CVSS v3: 9.8, CVSS v4: 9.3): A reliance on untrusted inputs vulnerability that could cause invalid information to be displayed in Unity Pro software
The following Schneider Electric products are affected:
- Modicon M580: Various versions depending on the specific vulnerability
- Modicon M340: Various versions depending on the specific vulnerability
- Modicon Premium: All versions for many vulnerabilities
- Modicon Quantum: All versions for many vulnerabilities
- Modicon Momentum CPU (part numbers 171CBU*): All versions
- Modicon MC80: All versions or versions prior to specific releases
- PLC Simulator for EcoStruxure Control Expert: All versions prior to 15.1
Schneider Electric has provided specific mitigations for different product lines:
- Modicon M580: Updates available in firmware V3.10 for most vulnerabilities and V2.80 for others
- Modicon M340: Updates available in firmware V3.20 for various vulnerabilities
- Modicon MC80: Fix available for specific part numbers
- Modicon Premium/Momentum Unity M1E Processor: Various fixes available depending on version
- Modicon Quantum: Limited fixes in V3.60, but many vulnerabilities have no fix as these products have reached end-of-life
For products with no available fixes (particularly Modicon Quantum and Premium controllers which have reached end-of-life), Schneider Electric recommends migration to the Modicon M580 ePAC controller.
Additional recommended mitigations include:
- Setting up application passwords in project properties
- Implementing network segmentation and firewalls to block unauthorized access to Port 502/TCP
- Configuring access control lists per user manual recommendations
