Schneider Electric EcoStruxure Products, Modicon PLCs, and Programmable Automation Controllers

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker unauthorized access to components, ability to execute arbitrary code, or ability to execute a denial-of-service.

CVEs (1)

Remediations

• Schneider Electric has released the following remediations for users to implement:
• EcoStruxure Process Expert: Version V2021 available for download and is not impacted by this vulnerability as the affected component has been removed from this version.
• EcoStruxure Control Expert: Software V15.3 includes a fix for this vulnerability and is available for download.
• Modicon M580 CPU (part numbers BMEP* and BMEH*): Firmware SV4.10 includes a fix for this vulnerability and is available for download.
• Modicon Momentum Unity M1E Processor (part numbers 171CBU*): Firmware VS2.6 includes a fix for this vulnerability and is available for download.
• Modicon M340 CPU (part numbers BMXP34*): Firmware SV3.51 includes a fix for this vulnerability and is available for download.
• Modicon MC80 CPU (part numbers BMKC80*): Firmware SV1.90 includes a fix for this vulnerability and is available for download.
• Users should use appropriate patching methodologies when applying these patches to their systems. Schneider Electric recommends using backups and evaluating the impact of these patches in a "testing and development environment" or on an offline infrastructure.
• Users should contact Schneider Electric for assistance in removing a patch.
• Users should apply the best practices for network hardening as documented in the product user guide and the Schneider Electric Recommended Cybersecurity Best Practices.
• For more information, see Schneider Electric's security advisory SEVD-2023-010-05.

Affected Vendors

Affected Products (8)

Affected Sectors

Commercial Facilities, Critical Manufacturing, Energy