PatchSiren cyber security CVE debrief
CVE-2024-6528 Schneider Electric CVE debrief
A cross-site scripting (XSS) vulnerability in Schneider Electric Modicon Controllers allows an attacker to inject arbitrary JavaScript that executes in a victim's browser when visiting a page containing the payload. The vulnerability was initially disclosed on December 19, 2024, and subsequently updated on October 21, 2025, to modify affected product versions for M258/LMC058 controllers and add specific mitigations for those models. The issue affects four controller product lines: M241, M251, M262, and M258/LMC058. Schneider Electric has released firmware updates through EcoStruxure Machine Expert v2.2.2 to address this vulnerability.
- Vendor
- Schneider Electric
- Product
- Modicon Controllers M241 / M251
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-19
- Original CVE updated
- 2025-10-21
- Advisory published
- 2024-12-19
- Advisory updated
- 2025-10-21
Who should care
Organizations operating Schneider Electric Modicon M241, M251, M262, or M258/LMC058 controllers in industrial automation environments, particularly those with web interfaces exposed to operational networks or with multiple users accessing controller web pages.
Technical summary
The vulnerability is a stored or reflected cross-site scripting (XSS) issue in the web interface of affected Schneider Electric Modicon Controllers. An attacker can inject malicious JavaScript payloads that execute when a victim accesses a compromised page. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction required, changed scope, with low impacts to confidentiality and integrity but no availability impact. Remediation requires firmware updates delivered through EcoStruxure Machine Expert v2.2.2, with specific version requirements varying by controller model. Update A (October 2025) clarified affected versions for M258/LMC058 and added targeted mitigations.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates: M241 and M251 to version 5.2.11.24, M262 to version 5.2.8.26, available through EcoStruxure Machine Expert v2.2.2 and Schneider Electric Software Update (SESU)
- For M258/LMC058 controllers, use Controller Assistant from EcoStruxure Machine Expert to apply updates and perform reboot
- Update engineering workstations to EcoStruxure Machine Expert v2.2.2 before updating controller firmware
- Test patches in a non-production environment using backups before production deployment
- Minimize network exposure by placing controllers in protected environments with no direct internet access
- Enable and enforce strong user management and password features
- Deactivate the webserver when not in use
- Implement encrypted communication links and network segmentation with firewall rules blocking unauthorized access to ports 80/HTTP and 443/HTTPS
Evidence notes
CVE published 2024-12-19; modified 2025-10-21. Source advisory ICSA-24-354-07 from CISA CSAF. CVSS 5.4 (MEDIUM). Not in CISA KEV. Affects Schneider Electric Modicon Controllers M241 (<5.2.11.24), M251 (<5.2.11.24), M262 (<5.2.8.26), and M258/LMC058 (all versions, with Update A modifying affected version details and adding mitigations).
Official resources
-
CVE-2024-6528 CVE record
CVE.org
-
CVE-2024-6528 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-19