PatchSiren cyber security CVE debrief
CVE-2023-28355 Schneider Electric CVE debrief
CVE-2023-28355 affects Schneider Electric devices using CODESYS Runtime, including HMISCU Controller. The issue is an integrity-verification weakness: the runtime checksum helps the development system compare the loaded project with the PLC application code running on the controller, but Schneider Electric says it is not sufficient to reliably detect code altered in memory or manipulated boot application files.
- Vendor
- Schneider Electric
- Product
- HMISCU Controller
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-07-11
- Original CVE updated
- 2026-01-20
- Advisory published
- 2023-07-11
- Advisory updated
- 2026-01-20
Who should care
OT/ICS operators, control engineers, and asset owners using Schneider Electric HMISCU Controller or other CODESYS Runtime-based Schneider Electric devices, especially where engineering workstations or programming ports are reachable from broader networks.
Technical summary
The advisory states that CODESYS Control Runtime includes a checksum that lets the development system check at login whether the loaded project matches the PLC application code executed on the controller. Schneider Electric says that checksum is not reliable for detecting PLC application code modified in memory or manipulated boot application files. The supplied CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) indicates network reachability, low privileges, and a primary integrity impact.
Defensive priority
High priority for environments that depend on PLC logic integrity or have exposed engineering paths. Treat this as an access-control and configuration-hardening issue as well as a patching issue.
Recommended defensive actions
- Follow Schneider Electric's product-specific remediation guidance for the affected device family; the supplied corpus does not list a dedicated HMISCU Controller fix.
- Restrict access to programming ports and keep controllers and engineering systems segmented from untrusted networks.
- Use firewalls and VPNs for remote access, and limit physical and OS-level access to development and control systems.
- Enable user management, enforce strong passwords, and use encrypted communication links.
- Apply Schneider Electric's project-encryption and other cybersecurity guidance for EcoStruxure Machine Expert, Modicon, and PacDrive environments where applicable.
- Maintain up-to-date malware protection on both development workstations and control systems.
Evidence notes
CVE published 2023-07-11. The source advisory was republished by CISA on 2026-01-20, and its revision history shows later updates to product scope and remediation notes. The core vulnerability statement is consistent across the supplied corpus: the runtime checksum is not enough to reliably detect in-memory code modification or boot application file manipulation.
Official resources
-
CVE-2023-28355 CVE record
CVE.org
-
CVE-2023-28355 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public CVE disclosure date: 2023-07-11T07:15:18Z. CISA republished the Schneider Electric advisory on 2026-01-20T15:49:51.778Z.