ICSA-13-077-01B
·
Published 2025-06-06
·
View on CISA ICS-CERT ↗
Schneider Electric PLCs Vulnerabilities
CVSS 8.5
HIGH
CVEs (2)
Remediations
- Schneider Electric has issued a patch for the HTTP and FTP service that is available on selected Quantum PLC. This patch contains a new feature that allows the user to disable HTTP service on certain modules. The patch can be found on the Schneider Electric website
- (http://www.schneider-electric.com/). Schneider Electric has not issued a patch for the Modicon M340 or Premium PLC, but has issued a vulnerability disclosure notification that contains the following recommended mitigations for both vulnerabilities: Do not connect the affected PLC modules to an untrusted network. If such a connection is required, block all HTTP access to the module from untrusted IP addresses using a firewall, and only allow HTTP connections from known IP addresses from secured workstations.
Affected Vendors
Schneider Electric
Affected Products (3)
Schneider Electric
·
Modicon M340 PLC modules
vers:all/*
Schneider Electric
·
Quantum PLC modules
vers:all/*
Schneider Electric
·
Premium PLC modules
vers:all/*
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more