PatchSiren cyber security CVE debrief
CVE-2018-7845 Schneider Electric CVE debrief
CVE-2018-7845 is an information-disclosure flaw in Schneider Electric Modicon controllers. The advisory says an out-of-bounds read while reading specific memory blocks over Modbus can expose unexpected controller data. Schneider Electric and CISA published the advisory on 2019-05-14, with later revisions adding remediation details for multiple Modicon product lines.
- Vendor
- Schneider Electric
- Product
- Modicon M580 Firmware Versions prior to v2.80 installed on Modicon M580 Controller
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2019-05-14
- Original CVE updated
- 2026-04-23
- Advisory published
- 2019-05-14
- Advisory updated
- 2026-04-23
Who should care
OT security teams, PLC/controls engineers, plant operators, and asset owners running Schneider Electric Modicon M580, M340, Quantum, or Premium controllers and their associated firmware, especially where Modbus access is available on port 502/TCP.
Technical summary
The supplied advisory describes an out-of-bounds read condition in controller memory handling over Modbus. An attacker who can reach the affected service may be able to read past intended memory bounds and disclose unexpected data from the controller. The CISA CSAF source lists impacted Schneider Electric Modicon firmware families and recommends firmware updates plus network-level mitigations such as segmentation, ACLs, and blocking unauthorized access to Modbus on TCP/502.
Defensive priority
High. Prioritize remediation where affected controllers are reachable from broader OT networks or any untrusted segment, and especially where Modbus access is not tightly controlled.
Recommended defensive actions
- Update affected Schneider Electric firmware to the vendor-fixed release for the specific platform: M580 sv4.20 or above, M340 v3.60 or above, Quantum v3.60, or Premium v3.20, as applicable.
- If firmware update is not immediately possible, restrict Modbus access on TCP/502 with segmentation and firewall rules so only authorized engineering assets can connect.
- Apply the vendor-recommended access control list settings and application password protections in project properties.
- Rebuild and transfer updated projects in EcoStruxure Control Expert after changing controller firmware versions, as directed in the advisory.
- For Quantum and Premium systems noted as end of life, plan migration to supported platforms and use the vendor mitigation guidance in the interim.
- Review whether any affected controllers are exposed beyond the OT trust boundary and remove unnecessary paths to Modbus services.
Evidence notes
The source corpus states that an out-of-bounds read could disclose unexpected data from the controller when reading specific memory blocks over Modbus. It also lists affected Schneider Electric Modicon M580, M340, Quantum, and Premium firmware variants and provides vendor fixes and mitigations, including firmware upgrades, application passwords, ACLs, segmentation, and blocking unauthorized access to port 502/TCP. The advisory notes that some Quantum and Premium products are end of life and should be migrated where possible.
Official resources
-
CVE-2018-7845 CVE record
CVE.org
-
CVE-2018-7845 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in vendor and CISA materials on 2019-05-14. This debrief uses the CVE publication date provided in the source corpus; later advisory revisions are timing context only and not the original issue date.