PatchSiren cyber security CVE debrief
CVE-2024-11737 Schneider Electric CVE debrief
A critical improper input validation vulnerability (CWE-20) in Schneider Electric Modicon M241, M251, M258, and LMC058 controllers allows unauthenticated remote attackers to cause denial of service and compromise confidentiality and integrity via crafted Modbus packets. The vulnerability was disclosed on December 10, 2024, with vendor fixes released in phases: M241/M251 firmware 5.2.11.29 became available by March 11, 2025, and M258/LMC058 firmware 5.0.4.19 by October 14, 2025. The CVSS 3.1 score of 9.8 reflects network attack vector, low complexity, no privileges required, and high impacts across confidentiality, integrity, and availability. No known exploitation in ransomware campaigns has been reported.
- Vendor
- Schneider Electric
- Product
- Modicon Controllers M241
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-10
- Original CVE updated
- 2025-10-14
- Advisory published
- 2024-12-10
- Advisory updated
- 2025-10-14
Who should care
Organizations operating Schneider Electric Modicon M241, M251, M258, or LMC058 controllers in industrial automation environments, particularly those with Modbus TCP connectivity exposed to operational technology networks. Critical infrastructure operators, manufacturing facilities, and any deployment where controller availability and integrity are essential for safety or production continuity.
Technical summary
The vulnerability stems from improper input validation (CWE-20) in the Modbus protocol implementation of affected Schneider Electric Modicon controllers. An unauthenticated attacker can send a crafted Modbus packet to TCP port 502, triggering conditions that result in denial of service and potentially compromising the confidentiality and integrity of the controller. The attack requires no authentication, no user interaction, and is exploitable over the network with low complexity. Firmware updates released in 2025 address the input validation deficiency.
Defensive priority
critical
Recommended defensive actions
- Apply vendor firmware updates immediately: upgrade Modicon M241/M251 to version 5.2.11.29 or later using Schneider Electric Software Update (SESU) within EcoStruxure Machine Expert, then reboot
- Apply vendor firmware updates immediately: upgrade Modicon M258/LMC058 to version 5.0.4.19 or later using Controller Assistant from EcoStruxure Machine Expert, then reboot
- If immediate patching is not feasible, isolate affected controllers within protected network segments with no internet or untrusted network access
- Configure embedded firewalls to filter ports and IP addresses, specifically blocking unauthorized access to TCP port 502
- Disable all unused protocols per default configuration guidance
- Implement network segmentation with firewalls to restrict Modbus TCP port 502 access to authorized systems only
- Review and apply Schneider Electric cybersecurity guidelines for EcoStruxure Machine Expert and Modicon controllers
Evidence notes
CISA ICS Advisory ICSA-24-352-04 documents this vulnerability with vendor confirmation from Schneider Electric. The advisory revision history tracks remediation availability: initial disclosure December 10, 2024; M241/M251 fix March 11, 2025; M258/LMC058 fix October 14, 2025. CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirms unauthenticated network exploitable condition.
Official resources
-
CVE-2024-11737 CVE record
CVE.org
-
CVE-2024-11737 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-10