CVE-2019-6806 Schneider Electric CVE debrief

Who should care

OT/ICS asset owners, plant operators, control engineers, system integrators, and security teams responsible for Schneider Electric Modicon environments. Prioritize sites where Modbus traffic is routable beyond a tightly controlled segment, where ACLs are missing, or where legacy Quantum/Premium systems remain in service.

Technical summary

The advisory describes an information exposure condition: when a client reads variables in the controller using Modbus, SNMP information may be disclosed. The source corpus ties the issue to Schneider Electric Modicon product families including M580, M340, Quantum, Quantum Safety, and Premium. Mitigations center on reducing unauthorized Modbus access and hardening communications: application passwords, network segmentation, firewall rules blocking unauthorized access to TCP/502, access control lists, secure communications guidance, and IPsec-based protections for supported M580 deployments. For Quantum and Premium, the vendor states no fix is planned because the products are end of life.

Defensive priority

High for any environment where Modbus is reachable from untrusted or broad internal networks; medium if the affected controllers are isolated behind strict OT segmentation and access controls. Treat EOL Quantum and Premium systems as migration candidates.

Recommended defensive actions

• Restrict Modbus access at the network layer and block unauthorized traffic to TCP/502.
• Enable and enforce controller or project application passwords where supported.
• Apply vendor access control list guidance for the affected product family.
• Use Schneider Electric's secured communications and IPsec guidance for supported M580/M340 deployments.
• For M580, follow the documented CPU memory protection guidance where applicable; note the source corpus says this cannot be configured on M580 Hot Standby CPUs.
• Treat Quantum and Premium as end-of-life and plan migration to supported platforms such as Modicon M580.
• Validate that remediation matches the exact firmware/controller combination listed in the advisory before making changes.

Evidence notes

The supplied CSAF source identifies Schneider Electric as the vendor and lists affected product families beyond the title product: Modicon M580, M340, Quantum, Quantum Safety, and Premium. The description states that reading variables in the controller using Modbus can disclose SNMP information. The remediation section specifically recommends application passwords, segmentation, firewalling TCP/502, ACLs, secured communications, and IPsec options. The revision history shows the original release on 2019-05-14 and a remediation correction on 2019-12-10. Quantum and Premium are explicitly marked as end of life with no fix planned in the supplied source corpus.

Official resources