CVE-2023-6409 Schneider Electric CVE debrief

Who should care

Industrial control system engineers, OT security teams, and asset owners using Schneider Electric Modicon PLCs with EcoStruxure engineering software should prioritize remediation. Organizations in critical infrastructure sectors—particularly energy, water/wastewater, manufacturing, and building automation—face elevated risk due to the potential for unauthorized modification of control logic. Security operations centers monitoring OT environments should audit for anomalous project file access and verify that engineering workstations have received software updates. Compliance teams tracking IEC 62443 or NERC CIP requirements should document remediation status given the high CVSS score and availability of vendor fixes.

Technical summary

The vulnerability stems from CWE-798 (Use of Hard-coded Credentials) in EcoStruxure Control Expert and Process Expert engineering software. When a user attempts to open a project file protected with an application password, the software's embedded credentials allow unauthorized access bypassing the password protection mechanism. The attack vector is local (AV:L) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). Successful exploitation yields high impact on confidentiality (VC:H) and integrity (VI:H) of the project file contents. The vulnerability does not affect availability of the targeted system (VA:N) and has no scope change (SC:N). Affected software versions include EcoStruxure Control Expert prior to v16.0 and EcoStruxure Process Expert prior to v2023. The underlying PLC platforms (Modicon M340, M580 families) receive firmware updates to address related credential management issues in device communications.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade EcoStruxure Control Expert to version 16.0 or apply hotfix 15.3 HF008; upgrade EcoStruxure Process Expert to version 2023 or later
• Apply firmware updates: Modicon M340 to SV3.60, Modicon M580 to SV4.20, and M580 CPU Safety to remediated versions per vendor guidance
• Enable application password protection in project properties as defense-in-depth
• Implement network segmentation and firewall rules to block unauthorized access to TCP port 502 (Modbus)
• Configure Access Control Lists (ACLs) per Modicon M340/M580 hardware reference manuals
• Deploy IPsec encryption using BMENOC modules, BMENUA0100 modules, or external VPN gateways such as Belden EAGLE40-07 for M340/M580 architectures
• Activate CPU memory protection by configuring input bits to physical inputs where supported (not available on M580 Hot Standby CPUs)
• For M580 CPU Safety systems, ensure Safety mode operation with maintenance input configured to maintain safety state during operation per system planning guide guidance

Evidence notes

CISA CSAF advisory ICSA-24-331-03 published 2024-02-13 documents this vulnerability with CVSS 4.0 score 8.5 (High). The advisory was republished by CISA on 2026-05-07 based on Schneider Electric's SEVD-2024-044-01 security notice. Multiple remediation releases occurred between initial disclosure and final update: Additional Release 1 (2024-07-09) expanded impact to Modicon MC80 and Momentum M1E PLCs; Additional Release 2 (2024-08-13) provided M580 CPU Safety remediation; Additional Release 3 (2026-04-14) added Momentum controller remediation; and the 2026-05-07 republication incorporated final Schneider Electric advisory updates.

Official resources