CVE-2019-6809 Schneider Electric SE CVE debrief

Who should care

OT and ICS teams running Schneider Electric Modicon M580, M340, Quantum, or Premium controllers; engineers using EcoStruxure Control Expert; plant operators responsible for availability-critical automation networks; and defenders who must protect controller access over port 502/TCP.

Technical summary

The source advisory describes an uncaught exception condition that can be triggered when invalid data is read from the controller, resulting in a possible denial of service. The published CVSS 3.1 metadata indicates network attackability, low complexity, no privileges, no user interaction, and availability impact only (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, score 7.5 High). The advisory text also includes a CVSS v4.0 base score of 8.7 High. Affected products include Modicon M580 firmware prior to v2.90, Modicon M340 firmware prior to v3.10, listed Modicon Quantum firmware versions prior to v3.60, and Modicon Premium firmware prior to v3.20, with multiple remediation notes for EOL Quantum and Premium platforms.

Defensive priority

High. Prioritize if the affected controllers are reachable from broader OT or enterprise networks, especially where Modbus/TCP access is present. Treat as urgent in environments where controller availability is critical and patching or segmentation is incomplete.

Recommended defensive actions

• Inventory Schneider Electric controllers and confirm whether any affected firmware versions are deployed.
• Upgrade Modicon M580 to firmware SV4.20 or above and update EcoStruxure Control Expert as instructed by Schneider Electric.
• Upgrade Modicon M340 to firmware v3.60 or above and update EcoStruxure Control Expert as instructed by Schneider Electric.
• For affected Quantum and Premium systems, apply the vendor's remediation guidance and plan migration where products are end of life.
• Restrict access to controller services by applying network segmentation, firewall controls, and ACLs to block unauthorized access to port 502/TCP.
• Enable application passwords and follow the secured communications guidance referenced in the vendor materials.
• For M580/M340 architectures, use the vendor-recommended secure communication options, including IPsec where applicable, and verify controller memory protection guidance for supported configurations.

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSA-25-114-01 and the Schneider Electric Security and Safety Notice SEVD-2019-134-11. The advisory states that an uncaught exception can cause denial of service when invalid data is read from the controller. The source includes version-specific fixes and mitigation guidance, plus later revision history entries that expand remediation and hardening instructions. The supplied source metadata also contains both CVSS 3.1 and CVSS v4.0 scores; the debrief preserves that distinction rather than treating either as the only score.

Official resources