Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Finds 11 Vulnerabilities in Schneider Electric Modicon Controllers

Researchers at Cisco Talos have discovered nearly a dozen vulnerabilities in some of Schneider Electric’s Modicon programmable logic controllers (PLCs).

Researchers at Cisco Talos have discovered nearly a dozen vulnerabilities in some of Schneider Electric’s Modicon programmable logic controllers (PLCs).

There are a total of 11 security holes affecting Modicon M580, M340, BMENOC 0311, BMENOC 0321, Quantum (no longer supported), Premium, and Modicon BMxCRA and 140CRA modules. The M580 PLC, which is the newest Modicon controller, is the only one affected by all the vulnerabilities, while the rest are impacted by 2-8 flaws.

The vulnerabilities are related to the Modbus, FTP and TFTP protocols, and the REST API. The more serious flaws — the ones affecting TFTP and the REST API — can be exploited by sending specially crafted requests to the targeted device. They have been assigned the CVE identifiers CVE-2019-6841 through CVE-2019-6851.Modicon M580 vulnerabilities

The three flaws related to the REST API are all classified as high severity, and they can be exploited for denial-of-service (DoS) attacks or they could lead to the disclosure of sensitive information.

The vulnerability related to the TFTP protocol is also high severity. Exploitation of the bug can result in the exposure of file and directory information, but the TFTP port is disabled by default on controllers, Schneider said.

As for the Modbus-related issue, it’s a medium-severity weakness involving the transmission of sensitive information in clear text when Modbus is used to transfer applications to the controller.

In the case of the FTP-related vulnerabilities, most of them can be exploited to cause devices to enter a DoS condition using a specially crafted firmware image.

Learn More About PLC Vulnerabilities at SecurityWeek’s 2019 ICS Cyber Security Conference

Talos reported the vulnerabilities to Schneider Electric in May and July. The company this week published four separate advisories for the weaknesses, each focusing on the affected component. In each case, it blamed the vulnerabilities on the impacted protocol.

While it has not released any firmware updates to address the vulnerabilities, the company has provided a series of recommendations for preventing potential attacks. These include disabling the impacted services if not needed, blocking unauthorized access to specific ports at the firewall, and, in the case of the FTP-related bugs, changing default passwords.

Talos has published a blog post describing the FTP-related vulnerabilities, and released separate advisories for most of the flaws.

Related: Schneider Electric Working on Patch for Flaw in Triconex TriStation Emulator

Related: Schneider Electric Vehicle Charging Stations Exposed to Hacker Attacks

Related: Flaw in Schneider PLC Allows Significant Disruption to ICS

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.