PatchSiren cyber security CVE debrief
CVE-2021-29999 Schneider Electric CVE debrief
CVE-2021-29999 is covered in CISA advisory ICSA-25-058-01 for Schneider Electric communication modules used with Modicon M580 and Quantum controllers. The source advisory ties the issue to a potential stack overflow in the Wind River VxWorks DHCP server through Version 6.8 and maps it to multiple Schneider Electric products with fixed firmware thresholds. Because the CVSS vector is 9.8 (network reachable, no privileges, no user interaction), this should be treated as a critical OT patching and exposure-management item. The advisory was initially published on 2025-02-27 and later updated on 2025-04-17 and 2025-09-09, with Update B adding remediations for 140CRA31200 and 140CRA31908.
- Vendor
- Schneider Electric
- Product
- Modicon M580 communication modules BMENOC BMENOC0321
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-27
- Original CVE updated
- 2025-09-09
- Advisory published
- 2025-02-27
- Advisory updated
- 2025-09-09
Who should care
OT and ICS operators, control-system engineers, plant maintenance teams, and security teams responsible for Schneider Electric Modicon M580/Quantum communication modules and associated industrial networks.
Technical summary
The advisory describes a potential stack overflow in the DHCP server component of Wind River VxWorks through Version 6.8. In the Schneider Electric CSAF, the affected products are BMENOC0321 below SV1.10, BMECRA31210 below SV02.80, BMXCRA31200 below SV02.80, BMXCRA31210 below SV02.80, 140CRA31200 below V02.80, and 140CRA31908 below V02.80. The supplied CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates severe potential impact if the vulnerable component is reachable. The source corpus does not provide exploit details or incident reporting.
Defensive priority
Critical — prioritize inventory, exposure reduction, and firmware remediation immediately.
Recommended defensive actions
- Inventory all Schneider Electric Modicon M580 and Quantum communication modules and compare installed firmware against the advisory thresholds.
- Upgrade BMENOC0321 to SV1.10, BMECRA31210 and BMXCRA31200/31210 to SV02.80, and 140CRA31200 and 140CRA31908 to V02.80 where applicable.
- Segment control and safety networks behind firewalls and minimize any direct Internet exposure.
- Restrict remote access to secured paths only, such as controlled VPN access, and keep remote devices fully updated.
- Apply physical access controls to controllers and keep systems out of Program mode unless operationally required.
- Review removable media and mobile device handling procedures before connecting them to isolated OT networks.
- Use Schneider Electric’s security notice and recommended cybersecurity best practices to validate local mitigation plans.
Evidence notes
The source corpus is the CISA CSAF advisory ICSA-25-058-01 (published 2025-02-27, updated 2025-04-17 and 2025-09-09). The advisory’s revision history states that Update B added remediations for 140CRA31200 and 140CRA31908 on 2025-09-09. The CSAF product tree provides the affected product/version thresholds, and the advisory references Schneider Electric security notice SEVD-2025-014-03 plus the Wind River CVE page as additional official sources. No KEV listing is present in the supplied data.
Official resources
-
CVE-2021-29999 CVE record
CVE.org
-
CVE-2021-29999 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in CSAF advisory ICSA-25-058-01 on 2025-02-27, with later updates on 2025-04-17 and 2025-09-09. The supplied source data includes official CVE, NVD, CISA, Schneider Electric, and Wind River references; no Known Ex