Schneider Electric Modicon Controllers

View CSAF

1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Modicon Controllers Vulnerabilities: Improper Input Validation, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Uncontrolled Resource Consumption
2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the device or cause a denial-of-service condition.
3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Modicon Controllers M241: Versions prior to 5.3.12.51 Modicon Controllers M251: Versions prior to 5.3.12.51 Modicon Controllers M262: Versions prior to 5.3.9.18 (CVE-2025-3898, CVE-2025-3117) Modicon Controllers M258: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) Modicon Controllers LMC058: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 An improper input validation vulnerability exists that could cause a denial-of-service condition when an authenticated malicious user sends an HTTPS request containing invalid data type to the webserver. CVE-2025-3898 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2025-3898. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). 3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79 An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists in the Certificates page on the webserver that could cause unvalidated data to be injected by an authenticated malicious user leading to the modification or reading of data in a victim’s browser. CVE-2025-3899 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). A CVSS v4 score has also been calculated for CVE-2025-3899. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N). 3.2.3 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 An uncontrolled resource consumption vulnerability exists that could cause a denial-of-service condition when an authenticated malicious user sends a manipulated HTTPS Content-Length header to the webserver. CVE-2025-3112 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2025-3112. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). 3.2.4 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79 An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists impacting PLC system variables that could cause unvalidated data to be injected by an authenticated malicious user leading to the modification or reading of data in a victim’s browser. CVE-2025-3905 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). A CVSS v4 score has also been calculated for CVE-2025-3905. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N). 3.2.5 IMPROPER INPUT VALIDATION CWE-20 An improper input validation vulnerability exists that could cause a denial-of-service condition when an authenticated malicious user sends a special malformed HTTPS request containing improperly formatted body data to the controller. CVE-2025-3116 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2025-3116. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). 3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79 An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists impacting configuration file paths that could cause unvalidated data to be injected by an authenticated malicious user leading to the modification or reading of data in a victim’s browser. CVE-2025-3117 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). A CVSS v4 score has also been calculated for CVE-2025-3117. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: France 3.4 RESEARCHER Loc Nguyen, Dat Phung, Thai Do, Minh Pham of Unit 515, OPSWAT reported these vulnerabilities to Schneider Electric.
4. MITIGATIONS Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Version 5.3.12.51 of Modicon Controllers M241 includes a fix for these vulnerabilities, which can be downloaded here. Use the Controller Assistant feature of EcoStruxure Automation Expert – Motion V24.1 to update the M241 firmware and perform a reboot. EcoStruxure Automation Expert – Motion V24.1 is available via the Schneider Electric Software Installer. Version 5.3.12.51 of Modicon Controllers M251 includes a fix for these vulnerabilities, which can be downloaded here. Use the Controller Assistant feature of EcoStruxure Automation Expert – Motion V24.1 to update the M251 firmware and perform a reboot. EcoStruxure Automation Expert – Motion V24.1 is available via the Schneider Electric Software Installer. (CVE-2025-3898, CVE-2025-3117) Versions from 5.3.9.18 of Modicon Controllers M262 include a fix for these vulnerabilities, which can be downloaded here. Use the Controller Assistant feature of EcoStruxure Automation Expert – Motion V24.1 to update the M262 firmware and perform a reboot. EcoStruxure Automation Expert – Motion V24.1 is available via the Schneider Electric Software Installer. If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:

Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the webserver after use when not needed. Use encrypted communication links. Set up network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment” provide product specific hardening guidelines. (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) Schneider Electric is establishing a remediation plan for all future versions of Modicon M258/LMC058 that will include a fix for these vulnerabilities. Schneider Electric will update SEVD-2025-161-02 when the remediation is available. Until then, users should immediately apply the above mitigations to reduce the risk of exploit. For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-161-02 Modicon Controllers M241/M251/M258/LMC058/M262 - SEVD-2025-161-02 PDF Version, Modicon Controllers M241/M251/M258/LMC058/M262 - SEVD-2025-161-02 CSAF Version. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY June 24, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-161-02