Connect with us

Hi, what are you looking for?



Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs

Schneider Electric this week released advisories for vulnerabilities impacting various products, including flaws that can be exploited to take control of Modicon M221 programmable logic controllers (PLCs).

Schneider Electric this week released advisories for vulnerabilities impacting various products, including flaws that can be exploited to take control of Modicon M221 programmable logic controllers (PLCs).

A total of four vulnerabilities were discovered in Modicon M221 PLCs by researchers at industrial cybersecurity firm Claroty. Three of them were identified independently by employees of cybersecurity company Trustwave. Both Trustwave and Claroty have published blog posts detailing their findings.

The security holes, three of which have been rated high severity by Schneider, are related to encryption and authentication. The French industrial giant has shared some recommendations that customers can implement to reduce the risk of attacks.

Karl Sigler, senior threat intelligence manager at  Trustwave, told SecurityWeek that an attacker needs to have a foothold on the OT network in order to exploit any of the vulnerabilities.

“By bypassing authentication protections and having direct access to manipulate the PLC, an attacker could take over complete control of the PLC actions, which could be catastrophic depending what type of OT environment the PLC is deployed,” Sigler explained. “This could potentially lead to complete failure of the control systems or hazardous situations where the safety of the systems is compromised.”

Yehuda Anikster, senior researcher at Claroty, told SecurityWeek that exploitation of the vulnerabilities requires capturing traffic between the EcoStruxure Machine engineering software and the targeted PLC.

“The attackers would then need to wait for an engineer or technician to connect and enter a password or perform download/upload operations to the M221 using the engineering software,” Anikster said. “At this stage, the attackers have all they need and can now extract the encryption key from the captured network traffic in order to decrypt the read/write passwords from the traffic.”

Advertisement. Scroll to continue reading.

“After the attackers have obtained the read/write passwords, they can do anything they wish to the M221 PLC as if they were the engineers themselves. This includes uploading the M221’s program, downloading (and overwriting) a program to the M221, changing the read/write passwords, stopping/starting the M221, and more,” the researcher added. “For example, attackers can extract all the code running on the M221s, stealing the company’s control process logic. Another potential scenario is of attackers deleting all the code and changing all passwords on the M221s, blocking all access to the devices and rendering the PLCs unusable in a denial-of-service attack. Furthermore, sly attackers could perform a Stuxnet-like attack and slightly change the code on the M221s to wreak havoc on the company’s devices.”

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Schneider Electric also informed customers this week of critical and high-severity vulnerabilities affecting its PLC Simulator product, including ones that can be exploited for arbitrary command execution and DoS attacks.

It also warned of a critical flaw in the Easergy T300 RTU, which can allow command execution and DoS attacks, and several high-severity remote code execution vulnerabilities affecting the Interactive Graphical SCADA System (IGSS) product.

The vendor also advised customers to apply defense-in-depth measures to protect Q Data Radio and J Data Radio devices against Drovorub, a Russia-linked malware that was recently detailed by the NSA and the FBI.

Related: Another Stuxnet-Style Vulnerability Found in Schneider Electric Software

Related: Schneider Electric Patches Vulnerabilities in Modicon, EcoStruxure Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.