PatchSiren cyber security CVE debrief
CVE-2024-8938 Schneider Electric CVE debrief
A buffer boundary violation (CWE-119) in Schneider Electric Modicon M340, MC80, and Momentum Unity M1E controllers allows potential arbitrary code execution. The attack requires a successful Man-in-the-Middle (MitM) position followed by a crafted Modbus command that tampers with a function call used to evaluate memory size. The vulnerability was disclosed on November 12, 2024, with firmware fixes becoming available through January 2026. The CVSS 3.1 score of 8.1 (High) reflects high impact to confidentiality, integrity, and availability, though the attack complexity is high due to the prerequisite MitM condition.
- Vendor
- Schneider Electric
- Product
- Modicon M340 CPU Controller
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2026-01-20
- Advisory published
- 2024-11-12
- Advisory updated
- 2026-01-20
Who should care
Organizations operating Schneider Electric Modicon M340, MC80, or Momentum Unity M1E controllers in industrial environments, particularly those with Modbus TCP connectivity on port 502. Critical infrastructure operators, manufacturing facilities, water/wastewater utilities, and energy sector deployments using these PLC platforms should prioritize assessment and patching.
Technical summary
The vulnerability exists in the Modbus command processing of affected Schneider Electric controllers. A function call used to evaluate memory size can be tampered with when an attacker positioned as a Man-in-the-Middle injects crafted Modbus commands. This improper restriction of operations within memory buffer bounds (CWE-119) creates conditions for potential arbitrary code execution. The attack vector is network-based (AV:N) with high attack complexity (AC:H) due to the MitM prerequisite, requiring no privileges (PR:N) or user interaction (UI:N). Successful exploitation impacts confidentiality, integrity, and availability at high severity (C:H/I:H/A:H).
Defensive priority
high
Recommended defensive actions
- Apply vendor firmware updates: Modicon M340 CPU Firmware SV3.65 or later, Modicon MC80 Firmware SV2.1 or later, and Modicon Momentum Unity M1E Processor Firmware SV2.80 or later.
- Implement network segmentation and configure firewalls to block unauthorized access to TCP port 502 (Modbus).
- Configure Access Control Lists (ACLs) per product-specific user manual guidance to restrict device access.
- Enable memory protection on M340 CPUs by configuring the input bit to a physical input.
- Consider deploying external firewall devices with VPN capabilities (such as Belden EAGLE40-07) for secure remote access.
- Review and apply ICS cybersecurity best practices from CISA and Schneider Electric documentation.
Evidence notes
CISA CSAF advisory ICSA-24-326-04 (initial release 2024-11-12, updated 2025-04-08 and 2026-01-13/20) documents this vulnerability. Schneider Electric security notice SEVD-2024-317-03 provides vendor confirmation. The CSAF revision history shows firmware fixes were released progressively: Momentum Unity M1E (SV2.80) in April 2025, MC80 (SV2.1) in January 2026, with M340 (SV3.65) available at initial disclosure.
Official resources
-
CVE-2024-8938 CVE record
CVE.org
-
CVE-2024-8938 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12