PatchSiren cyber security CVE debrief
CVE-2023-6408 Schneider Electric CVE debrief
CVE-2023-6408 is a critical vulnerability in Schneider Electric Modicon M340, M580, M580 Safety, MC80, and Momentum M1E PLCs, as well as EcoStruxure Control Expert and EcoStruxure Process Expert software. The flaw, classified as CWE-924 (Improper Enforcement of Message Integrity During Transmission in a Communication Channel), enables man-in-the-middle attackers to compromise controller confidentiality, integrity, and availability. The vulnerability carries a CVSS v4.0 base score of 9.2 (Critical) and a CVSS v3.1 score of 8.1 (High). CISA published this advisory on February 13, 2024, with subsequent updates through May 7, 2026, expanding affected products and releasing remediations. The attack vector is network-based with high attack complexity, requiring attacker positioning on the transmission path, but no privileges or user interaction. Successful exploitation can result in complete loss of confidentiality, integrity, and availability for the vulnerable controllers.
- Vendor
- Schneider Electric
- Product
- Modicon M340 CPU (part numbers BMXP34*)
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-13
- Original CVE updated
- 2026-05-07
- Advisory published
- 2024-02-13
- Advisory updated
- 2026-05-07
Who should care
Industrial control system operators, OT security teams, critical infrastructure asset owners, manufacturing security personnel, and organizations utilizing Schneider Electric Modicon PLC platforms in production environments
Technical summary
The vulnerability stems from improper enforcement of message integrity during transmission, allowing attackers positioned on the communication path to intercept and manipulate traffic to Modicon controllers. The flaw affects multiple PLC families (M340, M580, M580 Safety, MC80, Momentum M1E) and engineering software (EcoStruxure Control Expert, EcoStruxure Process Expert). Attack complexity is high due to the prerequisite of network positioning, but the vulnerability is exploitable without authentication or user interaction. Impact scope is limited to the vulnerable controller itself (no downstream scope impact per CVSS v4.0). Remediation requires firmware updates for hardware products and software upgrades for engineering workstations, with some products (MC80) having no patch available and relying solely on mitigations.
Defensive priority
Critical
Recommended defensive actions
- Apply vendor firmware updates: Modicon M340 CPU to SV3.60 or later, Modicon M580 CPU to SV4.20 or later, Modicon M580 CPU Safety to SV4.21 or later, Modicon Momentum M1E Processor to SV2.90 or later
- Upgrade EcoStruxure Control Expert to version 16.0 or 15.3 HF008 as applicable
- Upgrade EcoStruxure Process Expert to version 2023 or later
- Implement network segmentation and firewall rules to block unauthorized access to TCP port 502
- Configure Access Control Lists (ACLs) per vendor documentation for each PLC model
- Enable application passwords in project properties for all affected controllers
- Deploy IPsec encryption using BMENOC modules, BMENUA0100 modules, or external VPN solutions such as Belden EAGLE40-07
- Activate CPU memory protection by configuring input bits to physical inputs where supported (not available for M580 Hot Standby CPUs, which require IPsec instead)
Evidence notes
The vulnerability description and CVSS scoring are drawn from the CISA CSAF advisory ICSA-24-331-03. The affected product list and remediation timeline are confirmed through the advisory's revision history, which documents five releases from initial publication through May 2026. Vendor fixes are specified with exact firmware and software versions.
Official resources
-
CVE-2023-6408 CVE record
CVE.org
-
CVE-2023-6408 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-02-13T12:41:43.000Z