Full Report
[Control systems] Schneider Electric security advisory (AV26-210)
Analysis Summary
# Vulnerability: Schneider Electric EcoStruxure and Modicon Multiple Vulnerabilities (AV26-210)
## CVE Details
*Note: The source article (AV26-210) lists a major advisory bundle. Precise CVE identifiers and CVSS scores for each individual product are contained in the linked vendor-specific notifications.*
- **CVE ID:** Multiple (See Schneider Electric Security Notifications)
- **CVSS Score:** Range from Medium to Critical (Estimated based on product types)
- **CWE:** Varies by product (likely including CWE-287 Impromper Authentication, CWE-119 Memory Corruption, or CWE-79 Cross-site Scripting depending on the specific module)
## Affected Systems
- **EcoStruxure Foxboro DCS:** Versions prior to CS8.1
- **EcoStruxure Automation Expert:** Versions prior to v25.0.1
- **EcoStruxure IT Data Center Expert:** Versions v9.0 and prior
- **EcoStruxure Power Monitoring Expert (PME):** Versions 2022, 2023, 2023 R2, 2024, and 2024 R2
- **EcoStruxure Power Operation (EPO) Advanced Reporting and Dashboards Module:** Versions 2022 and 2024
- **Modicon M241/M251 Logic Controllers:** Versions prior to 5.4.13.12
- **Modicon M262 Logic Controllers:** Versions prior to 5.4.10.12
- **Modicon M258/LM058 Logic Controllers:** All versions (End-of-Life/End-of-Support implications)
## Vulnerability Description
This advisory covers a broad range of vulnerabilities across Schneider Electric’s industrial control systems (ICS) and power management software. The flaws typically involve weaknesses in how these devices handle network communications, authenticate users, or process data within their web-based management interfaces. For the Modicon controllers, flaws often reside in the firmware handling of specific industrial protocols or the integrated web servers.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; however, researchers often target these products following advisory releases.
- **Complexity:** Varies (Low to Medium)
- **Attack Vector:** Typically Network (Remote)
## Impact
- **Confidentiality:** High (Potential unauthorized access to sensitive ICS configuration data)
- **Integrity:** High (Potential unauthorized modification of controller logic or reporting data)
- **Availability:** High (Potential for Denial of Service (DoS) or complete controller halt)
## Remediation
### Patches
Schneider Electric recommends upgrading to the following versions:
- **EcoStruxure Foxboro DCS:** Update to CS8.1 or later.
- **EcoStruxure Automation Expert:** Update to v25.0.1 or later.
- **EcoStruxure IT Data Center Expert:** Review vendor advisory for specific path.
- **Modicon M241/M251:** Update firmware to 5.4.13.12.
- **Modicon M262:** Update firmware to 5.4.10.12.
### Workarounds
- **Modicon M258/LM058:** As all versions are affected, strictly isolate these devices from the business network and the internet. Use a secure industrial gateway or VPN.
- **General ICS Hardening:** Disable unused services (HTTP/FTP/SNMP) and ensure controllers are placed behind a firewall with deep packet inspection (DPI) for industrial protocols.
## Detection
- Monitor for unusual traffic on port 502 (Modbus/TCP) or proprietary Schneider Electric ports (e.g., port 44818).
- Audit system logs for failed login attempts or unauthorized configuration changes in EcoStruxure software modules.
- Use ICS-aware intrusion detection systems (IDS) to identify malformed packets targeting PLC firmware.
## References
- Schneider Electric Security Notifications: hxxps[://]www[.]se[.]com/ww/en/work/support/cybersecurity/security-notifications[.]jsp
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-schneider-electric-security-advisory-av26-210