Schneider Electric Warns of Critical Flaw in Modicon Controllers – CVE-2024-11737 (CVSS 9.8)
Schneider Electric has issued a security notification warning of a critical vulnerability affecting its Modicon M241, M251, M258, and LMC058 Programmable Logic Controllers (PLCs). The vulnerability, tracked as CVE-2024-11737 and assigned a CVSS score of 9.8, could allow an attacker to cause a denial of service and compromise the integrity of the controller.
“Failure to apply the Fix provided below may risk a denial of service and partial loss of Integrity of the controller, which could result in disruption operations,” the notification warns.
The vulnerability affects all versions of the Modicon M241, M251, M258, and LMC058 PLCs. These controllers are used in a variety of industrial automation applications, including manufacturing, energy, and transportation.
Schneider Electric is currently working on a remediation plan for all future versions of the affected products. In the meantime, the company recommends that customers take the following mitigation measures to reduce the risk of exploitation:
-
Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from the public internet or untrusted networks.
-
Filter ports and IP through the embedded firewall.
-
Set up network segmentation and implement a firewall to block all unauthorized access to port 502/TCP.
-
Disable all unused protocols (default configuration).
Schneider Electric also recommends that customers refer to the “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment User Guide” for more detailed information on how to secure their PLCs.