PatchSiren cyber security CVE debrief
CVE-2018-7843 Schneider Electric CVE debrief
CVE-2018-7843 is a Schneider Electric Modicon controller denial-of-service issue caused by an uncaught exception when the device reads memory blocks with an invalid data size or invalid data offset over Modbus. The supplied advisory record shows the issue was publicly disclosed on 2019-05-14 and later revised multiple times, mainly to refine remediation guidance. While the primary label is Modicon M580, the advisory scope also includes Modicon M340, Quantum, and Premium product lines. The impact is availability-only: no evidence in the supplied sources indicates code execution or data disclosure.
- Vendor
- Schneider Electric
- Product
- Modicon M580 Controller
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2019-05-14
- Original CVE updated
- 2026-04-23
- Advisory published
- 2019-05-14
- Advisory updated
- 2026-04-23
Who should care
Operators, integrators, and defenders responsible for Schneider Electric Modicon PLCs and related engineering workstations, especially environments that expose Modbus/TCP (port 502) or rely on M580, M340, Quantum, or Premium controllers.
Technical summary
The flaw is an uncaught exception in Modbus handling when a memory-block read request contains invalid size or offset values. In the supplied advisory, Schneider Electric ties fixes to specific firmware releases: Modicon M580 SV4.20 or above, Modicon M340 v3.60 or above, Modicon Quantum v3.60, and Modicon Premium v3.20. The advisory also recommends compensating controls such as application passwords, network segmentation, ACLs, and blocking unauthorized access to port 502/TCP.
Defensive priority
High priority for any exposed or remotely reachable Modicon controller, because the issue can be triggered over the network and directly affects availability.
Recommended defensive actions
- Update affected firmware to the vendor-fixed release for the relevant controller family (M580 SV4.20+, M340 v3.60+, Quantum v3.60, Premium v3.20).
- Update EcoStruxure Control Expert/project settings to match the target controller firmware, then rebuild and transfer the project as directed by the vendor.
- Restrict Modbus/TCP exposure: block unauthorized access to port 502/TCP, segment networks, and apply controller ACL guidance from the vendor manuals.
- Configure application passwords in project properties where supported.
- Use vendor-recommended secure communications and, where applicable, IPsec or external firewall/VPN protections described in the advisory.
- For end-of-life Quantum and Premium systems, plan migration to supported platforms rather than relying only on compensating controls.
Evidence notes
The source corpus states: an uncaught exception can cause denial of service when reading memory blocks with an invalid data size or invalid data offset over Modbus. The advisory metadata and remediation entries list affected Schneider Electric product families and fixed firmware versions, plus mitigations centered on application passwords, segmentation, ACLs, and blocking unauthorized access to port 502/TCP. The revision history shows the notice was updated several times after the original 2019-05-14 publication, including corrections to remediation/version information. The supplied CVE summary uses a CVSS v3.1 vector/score of 7.5 HIGH, while the description also includes a CVSS v4.0 8.7 HIGH string; both are present in the source corpus and should not be conflated.
Official resources
-
CVE-2018-7843 CVE record
CVE.org
-
CVE-2018-7843 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public disclosure in the supplied advisory record is dated 2019-05-14. The advisory was revised afterward, including remediation and version guidance updates, but those later revisions do not change the original CVE issue date.