PatchSiren cyber security CVE debrief

CVE-2018-7855 Schneider Electric CVE debrief

CVE-2018-7855 is a Schneider Electric Modicon controller vulnerability in which invalid breakpoint parameters sent over Modbus can trigger an uncaught exception and denial of service. The supplied advisory marks it as a high-severity availability issue and lists multiple affected Modicon families, with some legacy Quantum and Premium products receiving mitigation guidance rather than a fix.

Vendor: Schneider Electric
Product: Modicon M580 Firmware Versions prior to v4.20 installed on Modicon M580 Controller (part numbers BMEP* and BMEH*, excluding M580 CPU Safety)
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2019-05-14
Original CVE updated: 2026-04-23
Advisory published: 2019-05-14
Advisory updated: 2026-04-23

Who should care

Industrial control system operators, OT security teams, and control engineers responsible for Schneider Electric Modicon M580, M340, MC80, Momentum Unity M1E, Quantum, Quantum Safety, and Premium environments should care, especially where Modbus/TCP is reachable or EcoStruxure Control Expert workstations manage the controllers.

Technical summary

The source advisory describes an uncaught exception reachable by sending invalid breakpoint parameters to the controller over Modbus, resulting in denial of service and loss of availability. The CSAF advisory lists affected firmware and controller families across Modicon M580, M340, MC80, Momentum Unity M1E, Quantum/Quantum Safety, and Premium product lines; for some end-of-life Quantum and Premium products, Schneider Electric states no fix is planned and recommends mitigation and migration.

Defensive priority

High. The issue is network-reachable over Modbus and can disrupt controller availability in operational environments, so supported systems should be patched promptly and exposed systems should be protected with compensating controls.

Recommended defensive actions

Update supported Modicon M580 systems to firmware SV4.20 or later and EcoStruxure Control Expert to v16.0, then rebuild and transfer projects as instructed by the vendor.
Update supported Modicon M340 systems to firmware v3.60 or later and apply the vendor's project update/rebuild/transfer steps.
Update supported Modicon Momentum Unity M1E systems to firmware v2.90 or later and the referenced EcoStruxure Control Expert version, then rebuild and transfer projects.
For Quantum, Quantum Safety, and Premium systems, apply the vendor mitigations immediately and plan migration where the advisory says no fix is planned.
Restrict Modbus/TCP access to port 502 with network segmentation, firewalls, and ACLs; use application passwords and secure communication options described in the vendor guidance.
After any firmware change, verify the controller firmware version in projects and rebuild/transfer to align the engineering workstation with the target controller.

Evidence notes

The supplied corpus states: "An uncaught exception vulnerability exists, which could cause a denial of service when sending invalid breakpoint parameters to the controller over Modbus." The advisory publication timestamp is 2019-05-14, and later source revisions appear in the timeline through 2020; the source modified timestamp is 2026-04-23. The corpus also contains a CVSS v4.0 base score of 8.7 (High) in the advisory description, while the metadata section includes a CVSS 3.1 vector with a 7.5 score, so the supplied scoring fields are inconsistent; this debrief follows the advisory's described high-availability impact and affected-product guidance.

Official resources

Originally disclosed in Schneider Electric's advisory and published in the CISA CSAF record on 2019-05-14. The source corpus shows later advisory updates through 2020 and a modified timestamp of 2026-04-23; this debrief uses the CVE/advisoy