PatchSiren cyber security CVE debrief
CVE-2025-2875 Schneider Electric CVE debrief
CVE-2025-2875 is a high-severity confidentiality issue in Schneider Electric Modicon controllers. According to the CISA/Schneider Electric advisory, an unauthenticated attacker can manipulate a controller webserver URL and access resources, which can expose sensitive information. The affected products are Modicon M241, M251, M258, and LMC058 in versions prior to the fixed releases. Schneider Electric’s guidance emphasizes keeping controllers off public or untrusted networks, restricting web access, and applying the vendor fixes as soon as practical.
- Vendor
- Schneider Electric
- Product
- Modicon Controllers M241
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-10-14
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-10-14
Who should care
OT and ICS operators using Schneider Electric Modicon M241, M251, M258, or LMC058 controllers; plant engineers; security teams responsible for industrial network segmentation; and integrators who expose controller web interfaces or remote access paths.
Technical summary
CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) allows an unauthenticated attacker to influence the controller webserver URL and reach resources they should not access. The advisory rates the issue CVSS 3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), which means it is network-reachable, requires no privileges or user interaction, and primarily impacts confidentiality. The source advisory lists fixed versions as M241 and M251 firmware 5.3.12.48, and M258/LMC058 firmware 5.0.4.19.
Defensive priority
High priority for any exposed or remotely reachable controller web interface. Remediation should be treated as urgent where OT assets are reachable from enterprise, partner, VPN, or internet-facing networks, because the issue is unauthenticated and directly affects confidentiality.
Recommended defensive actions
- Apply the vendor-fixed firmware versions: M241 and M251 5.3.12.48; M258 and LMC058 5.0.4.19.
- Use the Schneider Electric Controller Assistant workflow referenced in the advisory to update firmware and reboot affected devices.
- Remove or restrict access to controller webservers when they are not required.
- Keep controllers and related devices on protected networks; do not expose them to the public internet or untrusted networks.
- Enforce user management and strong passwords, noting the advisory’s guidance that user rights are enabled by default and a strong password is required at first use.
- Use network segmentation and firewall rules to block unauthorized access to HTTP/HTTPS ports 80 and 443.
- Use VPN tunnels for any required remote access instead of direct exposure.
- Prefer encrypted communications when available and follow Schneider Electric’s product hardening guidance for Modicon and EcoStruxure environments.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-25-140-08 and Schneider Electric’s SEVD-2025-133-01 notice, both published on 2025-05-13. The advisory revision history shows a 2025-07-08 update adding remediation for M241/M251 and a 2025-10-14 update adding remediation for M258/LMC058. The supplied corpus does not indicate KEV listing, ransomware association, or active exploitation reports.
Official resources
-
CVE-2025-2875 CVE record
CVE.org
-
CVE-2025-2875 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Schneider Electric disclosed the issue in SEVD-2025-133-01, and CISA published ICS Advisory ICSA-25-140-08 on 2025-05-13. The advisory was later revised on 2025-07-08 to add M241/M251 remediation and on 2025-10-14 to add M258/LMC058 remedi