Security Experts:

Connect with us

Hi, what are you looking for?



Another Stuxnet-Style Vulnerability Found in Schneider Electric Software

Researchers have found another vulnerability in software made by Schneider Electric that is similar to the one exploited by the notorious Stuxnet malware.

Researchers have found another vulnerability in software made by Schneider Electric that is similar to the one exploited by the notorious Stuxnet malware.

Stuxnet, the malware used a decade ago by the United States and Israel to cause damage to Iran’s nuclear program, was designed to target Siemens’ SIMATIC S7-300 and S7-400 programmable logic controllers (PLCs). The malware loaded malicious code onto targeted PLCs by replacing a DLL file associated with the Siemens STEP7 controller programming software.

In March, Airbus Cybersecurity reported that it had identified a similar vulnerability in Schneider Electric’s EcoStruxure Control Expert engineering software, formerly known as Unity Pro. The flaw, tracked as CVE-2020-7475, can be exploited to upload malicious code to Modicon M340 and M580 PLCs by replacing one of the DLL files associated with the engineering software, which could lead to process disruptions and other damage.Modicon PLC vulnerability

Researchers at cybersecurity firm Trustwave reported on Thursday that they too have identified a similar vulnerability in Schneider software, specifically EcoStruxure Machine Expert (formerly known as SoMachine), which allows users to develop projects on Modicon M221 controllers.

The second flaw, tracked as CVE-2020-7489, has roughly the same description in Schneider’s advisory as CVE-2020-7475 and the same CVSS score of 8.2 — this means they are high-severity vulnerabilities.

Schneider has released patches for both vulnerabilities, but noted in the advisory for the first security hole that products from other vendors could also be vulnerable to these types of attacks.

Karl Sigler, senior security research manager at Trustwave’s SpiderLabs, told SecurityWeek that exploitation of CVE-2020-7489 requires access to the environment hosting the SoMachine software and the targeted PLC.

“For the SoMachine DLL injection vulnerability specifically (CVE-2020-7489) the attacker would need to perform the injection using the same user context as a local user authorized to run the software,” Sigler explained. “Administrative access would not be necessary unless SoMachine is installed and locked down for administrative accounts. While these systems might be air-gapped, we’ve seen in Stuxnet that this is not necessarily a barrier for exploitation.”

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Trustwave researchers also made an interesting discovery related to an old vulnerability affecting Schneider Electric software.

In 2017, the vendor informed customers of CVE-2017-6034, a critical vulnerability that allowed hackers to send run, stop, upload and download commands to a PLC using a replay attack.

Trustwave researchers discovered last year that an attack could still be launched by leveraging an existing session between EcoStruxure Machine Expert and the PLC. As a result of Trustwave’s findings, Schneider updated its original advisory in August 2019.

“The original CVE-2017-6034 vulnerability allowed for packet capture and replay to the PLC. For instance a packet with the ‘Stop’ command sent to the PLC could be replayed by an attacker to stop the PLC at any time,” Sigler explained. “While this replay vulnerability was patched in 2017, Trustwave discovered that the attack could still be performed as long as the attacker was piggybacking on top of an existing session between the control software and the PLC. In other words, while the packet replay vulnerability was patched, a man-in-the-middle attack could still be performed accomplishing the same misuse of the PLC.”

Related: Cisco Finds 11 Vulnerabilities in Schneider Electric Modicon Controllers

Related: Schneider Electric Patches Vulnerabilities in Modicon, EcoStruxure Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.