CVE-2019-6808 Schneider Electric CVE debrief

Who should care

OT and ICS owners running Schneider Electric Modicon M580 or M340 controllers, and operators still maintaining Quantum, Quantum Safety, or Premium environments. Engineering workstation administrators and network teams should also care because remediation includes project updates, application passwords, and network controls around Modbus/TCP port 502.

Technical summary

The vulnerability is described as improper access control affecting controller configuration handling over Modbus. The provided CVSS v4.0 vector indicates network reachability, no required privileges, no user interaction, and high impact across confidentiality, integrity, availability, and system scope. The source advisory lists affected products as Modicon M580 firmware prior to v2.90, Modicon M340 firmware prior to v3.10, and all versions of Quantum, Quantum Safety, and Premium firmware. Vendor remediation is available for M580 (v4.20 or above) and M340 (v3.60 or above), while Quantum Safety and Premium are identified as end-of-life with migration recommended. Mitigations emphasize application passwords, segmentation, ACLs, and blocking unauthorized access to TCP/502.

Defensive priority

Immediate for exposed OT networks. This is a critical remote impact issue with vendor-described RCE potential and no authentication requirement in the supplied CVSS context. Prioritize internet-facing, cross-zone, and remotely managed deployments first, then validate controller firmware and project settings across affected lines.

Recommended defensive actions

• Update Modicon M580 controllers to firmware SV4.20 or later and update EcoStruxure Control Expert to the vendor-recommended version before rebuilding and transferring projects.
• Update Modicon M340 controllers to firmware v3.60 or later and rebuild/transfer projects after applying the vendor-required project changes.
• Set an application password in project properties wherever supported.
• Segment networks and block unauthorized access to Modbus/TCP port 502 with firewalls or equivalent controls.
• Configure access control lists according to the relevant Schneider Electric user manuals and secure-communications guidance.
• If using M580, follow the vendor guidance for IPsec-secured communications and CPU memory protection where applicable.
• For Quantum, Quantum Safety, and Premium environments, plan migration because the advisory states no fix is planned for end-of-life products.
• Verify controller firmware, engineering-workstation software, and project version settings match the remediated target platform before returning systems to service.

Evidence notes

The supplied source corpus states that improper access control could allow remote code execution by overwriting controller configuration settings over Modbus. The advisory inventory names affected Schneider Electric products and distinguishes between fixed products (M580 and M340) and end-of-life products (Quantum, Quantum Safety, Premium). Revision history in the source item shows later advisory updates that refined firmware and mitigation guidance after the 2019 CVE publication date.

Official resources