How to find Schneider Electric devices on your network

Latest Schneider Electric vulnerabilities #

Our friends at CISA released advisories for a number of Schneider Electric ICS devices today through their Industrial Control Systems Advisories service, touching on Schneider Electric EcoStruxure Power Automation System (EPAS) (CVE-2025-0813, CVE-2025-1960, and CVE-2025-0002), ASCO Remote Annunciator (CVE-2025-1059), and Modicon PLC (CVE-2024-11737).

If you're in the business of power generation and distribution, you'll want to take a look at these. That said, all but one of these issues seems to come with some pretty convoluted attack scenarios, so you shouldn’t worry too much about them. However, the Modicon bug, CVE-2024-11737, is a protocol-level Modbus vulnerability, and does look worth worrying about, so read on for that.

What is the impact? #

CVE-2024-11737 is a vulnerability in how Modicon Controllers M241, M251, M258, and LMC058 parse malformed Modbus packets. In most cases, this can cause the device to go offline, but if the attacker is particularly crafty with their packets, it can lead to total system compromise with remote code execution.

Are updates or workarounds available? #

Schneider Electric has released an update for the M241 and M251 firmware for Modicon, and version 5.2.11.29 fixes the issue.

Unfortunately, there is no fix available yet for Modicon M258 and LMC058, but the usual advice applies: don't connect these devices to an untrusted network, use firewalls to filter IPs and affected Modbus ports, and if you're not expecting to use Modbus functionality, turn it off on affected devices.

How to find potentially vulnerable Schneider Electric devices with runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable firmware:

hw:="Schneider Electric M241" OR hw:="Schneider Electric M251" OR hw:="Schneider Electric M258" OR hw:="Schneider Electric LMC058"

January 2025: M580 and Quantum Modicon communications adapters #

Schneider Electric has reported a critical vulnerability in its M580 and Quantum Modicon communications adapters. These adapters are used in industrial control systems to allow communication with industrial control devices via industrial Ethernet.

This vulnerability is rated highly critical, with a CVSS score of 9.8.

The following devices are affected

• Modicon M580 communication modules BMENOC BMENOC0321, versions prior to SV1.10
• Modicon M580 communication modules BMECRA BMECRA31210, all versions
  
• Modicon M580/Quantum communication modules BMXCRA BMXCRA31200, all versions
• Modicon M580/Quantum communication modules BMXCRA BMXCRA31210, all versions
• Modicon Quantum communication modules 140CRA 140CRA31908, all versions
• Modicon Quantum communication modules 140CRA 140CRA31200, all versions

What is the impact? #

Successfully exploiting this vulnerability would allow an attacker to take complete control of the vulnerable system. This vulnerability can be exploited remotely and without authentication.

Are updates or workarounds available? #

Schneider Electric has released an update for the affected BMENOC modules. The BMECRA, BMXCRA, and 140CRA modules do not currently have updates available.

Users are advised to update as quickly as possible for any affected BMENOC modules. Users are also advised to isolate any potentially vulnerable modules from untrusted networks; in particular, UDP ports 67 and 68 should be blocked from unauthorized traffic.

How to find potentially vulnerable Schneider Electric devices with runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable firmware:

hw:"Schneider%BMENOC" OR hw:"Schneider%BMXCRA" OR hw:"Schneider%BMECRA" OR hw:"Schneider%140CRA"