Schneider Electric Modicon Controllers Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Schneider Electric's Modicon Controllers M241, M251, M258, LMC058, and M262, all versions prior to specific fixed releases. This vulnerability arises from improper input validation, allowing an authenticated malicious user to send specially crafted HTTPS requests with malformed body data to the controller. The exploitation of this vulnerability could lead to a loss of availability, causing the controller to become unresponsive or fail to perform its intended functions.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition, where the affected controller becomes unresponsive or fails to function properly, disrupting any processes or applications relying on it.

Remediation

Users of Modicon Controllers M241/M251 can upgrade to version 5.3.12.51, while those using Modicon Controllers M262 should upgrade to version 5.3.9.18. Both updates can be downloaded from the respective product pages on the Schneider Electric website. For Modicon M258/LMC058, a remediation plan is being established for future versions, and users should apply recommended cybersecurity best practices to reduce the risk of exploit.