CVE-2025-3116 Schneider Electric CVE debrief

Who should care

Industrial control system operators, OT security teams, and maintenance engineers responsible for Schneider Electric Modicon M241, M251, M258, and LMC058 deployments. Organizations using EcoStruxure Automation Expert - Motion or EcoStruxure Machine Expert to manage M241/M251 firmware should also prioritize this item.

Technical summary

The issue is categorized as CWE-20 (Improper Input Validation) and carries CVSS v3.1 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The vulnerable path is an HTTPS request handler/controller interface that does not correctly validate malformed request body data. Impact is availability-only: a successful authenticated request can cause denial of service. The source corpus identifies affected products as Modicon M241 versions prior to 5.3.12.51, Modicon M251 versions prior to 5.3.12.51, and all versions of Modicon M258 and LMC058. For M241/M251, Schneider Electric states that firmware version 5.3.12.51 fixes the issue and can be applied using Controller Assistant through EcoStruxure Automation Expert - Motion v24.1 or EcoStruxure Machine Expert v2.3. For M258/LMC058, the source corpus lists mitigation steps and says a future remediation plan was being established.

Defensive priority

High for any affected controller that is reachable from enterprise, remote-access, or less-trusted networks; medium otherwise. Because the issue can interrupt controller availability in OT environments, patching or compensating controls should be prioritized even though the CVSS base score is in the medium range.

Recommended defensive actions

• Upgrade Modicon M241 and M251 controllers to firmware version 5.3.12.51 using the vendor-supported update path described in the advisory.
• Use EcoStruxure Automation Expert - Motion v24.1 or EcoStruxure Machine Expert v2.3 Controller Assistant to update M241/M251 firmware, then reboot as instructed.
• For M258 and LMC058, follow the vendor mitigations in the advisory until a fixed version is available.
• Restrict controller access to protected networks; do not expose HTTP/HTTPS management interfaces to public or untrusted networks.
• Enforce user management and strong passwords on affected systems.
• Disable the webserver when it is not needed.
• Use encrypted communications and VPN tunnels for remote access.
• Segment networks and firewall ports 80/HTTP and 443/HTTPS to block unauthorized access.

Evidence notes

The supplied CISA CSAF advisory ICSA-25-175-03 names the affected products, describes the malformed HTTPS request condition, and lists the CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Its revision history shows the original release on 2025-06-10 and a 2025-07-08 update stating that remediation is available within EcoStruxure Machine Expert v2.3 used to update M241/M251 firmware. The same source notes that M258 and LMC058 were still covered by mitigation guidance rather than a fixed version in the supplied corpus.

Official resources