Schneider Electric Modicon Controllers (Update B)

CVEs (1)

Remediations

• Versions 5.3.12.48 of Modicon Controllers M241 include a fix for this vulnerability and can be downloaded here: M241:https://www.se.com/ww/en/product-range/62129-modicon-m241-micro-plc/#software-and-firmware * Use the Controller Assistant feature of EcoStruxure™ Automation Expert - Motion V24.1 or EcoStruxure™ Machine Expert V2.3 to update the M241/M251 firmware and perform a reboot. * EcoStruxure™ Automation Expert - Motion V24.1 and EcoStruxure™ Machine Expert V2.3 are available via the Schneider Electric Software Installer: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER * Additional information is available in the Quick Start Guide, chapter “EcoStruxure™ Automation Expert Platform Installation”.
• Versions 5.3.12.48 of Modicon Controllers M251 include a fix for this vulnerability and can be downloaded here: M251:https://www.se.com/ww/en/product-range/62130-modicon-m251-micro-plc-with-dual-channel-comm/#software-and-firmware * Use the Controller Assistant feature of EcoStruxure™ Automation Expert - Motion V24.1 or EcoStruxure™ Machine Expert V2.3 to update the M241/M251 firmware and perform a reboot. * EcoStruxure™ Automation Expert - Motion V24.1 and EcoStruxure™ Machine Expert V2.3 are available via the Schneider Electric Software Installer: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER * Additional information is available in the Quick Start Guide, chapter “EcoStruxure™ Automation Expert Platform Installation”.
• Modicon M258/LMC058 Firmware version 5.0.4.19 includes a fix for this vulnerability and can be downloaded here: https://www.se.com/ww/en/product-range/2730-modicon-m258-compact-plc-for-machine-automation/#software-and-firmware By using Controller Assistant from EcoStruxureTM Machine Expert update Modicon Controller M258/LMC058 and perform reboot.
• If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. • Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. • Deactivate the Webserver after use when not needed. • Use encrypted communication links when available. • Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. • Use VPN (Virtual Private Networks) tunnels if remote access is required. • The “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment” provide product specific hardening guidelines. To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here: https://www.se.com/en/work/support/cybersecurity/securitynotifications.jsp

Affected Vendors

Affected Products (10)

Affected Sectors

Commercial Facilities, Critical Manufacturing, Energy