Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerability Can Be Exploited to Hack Schneider Electric’s Modicon PLCs

A vulnerability affecting some of Schneider Electric’s Modicon programmable logic controllers (PLCs) can be exploited to bypass authentication mechanisms, allowing attackers to take complete control of the targeted device.

A vulnerability affecting some of Schneider Electric’s Modicon programmable logic controllers (PLCs) can be exploited to bypass authentication mechanisms, allowing attackers to take complete control of the targeted device.

The flaw, tracked as CVE-2021-22779 and dubbed ModiPwn, was identified by researchers at enterprise IoT security firm Armis. It can be exploited by an unauthenticated attacker who has network access to the targeted PLC.

The exploit chain demonstrated by Armis also involves several other vulnerabilities discovered over the past few years. These older issues — they are tracked as CVE-2018-7852, CVE-2019-6829 and CVE-2020-7537 — are related to Schneider’s UMAS (Unified Messaging Application Services) protocol, which is used to configure and monitor the French industrial giant’s PLCs.

ModiPwn vulnerability can be exploited to hack Schneider Electric Modicon PLCsAccording to Armis, UMAS operates over the Modbus industrial communications protocol, which “lacks encryption and proper authentication mechanisms.” Schneider said in the past that it had been planning on adopting the Modbus Security protocol, but until the more secure version of the protocol is widely adopted, the old version will continue to pose security-related risks.

Armis researchers discovered that the older vulnerabilities, which are related to undocummented UMAS commands, could actually be exploited for remote code execution and information disclosure, not only for DoS attacks as Schneider initially claimed.

The vendor patched those older flaws by adding an authentication mechanism that should have prevented them from being abused. However, the new ModiPwn vulnerability found by Armis can be exploited to bypass that authentication mechanism.

An attacker can exploit the ModiPwn flaw to bypass authentication and they can then leverage the undocummented commands — basically the older vulnerabilities — to carry out various actions.

A hacker could use this method to “take over the PLC and gain native code execution on the device which can be used to alter the operation of the PLC, while hiding the alterations from the engineering workstation that manages the PLC.”

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

“Malware that targets industrial controllers have been found in attacks in the wild – such as the Triton malware, which targeted Triconex safety controllers from SE. This malware was an example of the devastating potential a malware running on an industrial controller can achieve by gaining native code execution. This latest vulnerability shows the potential for an attacker to gain native code execution on a similar controller,” Armis said.

The ModiPwn vulnerability was initially reported to Schneider Electric in mid-November 2020. The vendor on Tuesday published an advisory providing mitigations for this vulnerability, but a patch has yet to be released. Modicon M580 and M340 PLCs are impacted.

The security firm has disclosed the details of the attack and it has posted a video showing the exploit chain in action.

Related: Another Stuxnet-Style Vulnerability Found in Schneider Electric Software

Related: Industrial Controllers Still Vulnerable to Stuxnet-Style Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...