PatchSiren cyber security CVE debrief
CVE-2025-3898 Schneider Electric CVE debrief
CVE-2025-3898 is a medium-severity denial-of-service vulnerability in Schneider Electric Modicon Controllers. According to the CISA CSAF advisory, an authenticated malicious user can send an HTTPS request containing an invalid data type to the webserver and cause the service to fail. The advisory was originally published on 2025-06-10 and revised on 2025-07-08 to note that remediation was available for update paths using EcoStruxure Machine Expert v2.3.
- Vendor
- Schneider Electric
- Product
- Modicon Controllers M241
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2025-07-08
- Advisory published
- 2025-06-10
- Advisory updated
- 2025-07-08
Who should care
Industrial control system operators, OT security teams, and administrators responsible for Schneider Electric Modicon M241, M251, or M262 controllers, especially where the webserver is enabled or remotely reachable over HTTPS.
Technical summary
The advisory maps the issue to CWE-20 (Improper Input Validation). The CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a network-reachable issue that requires low privileges and no user interaction, with high availability impact only. Affected products are Schneider Electric Modicon Controllers M241 versions prior to 5.3.12.51, M251 versions prior to 5.3.12.51, and M262 versions prior to 5.3.9.18. The source advisory identifies vendor fixes for these versions and includes operational mitigations such as network segmentation, restricting HTTP/HTTPS exposure, disabling the webserver when not needed, and using encrypted communication links.
Defensive priority
High for environments that expose controller web interfaces or allow authenticated remote access. While confidentiality and integrity are not impacted in the advisory, availability loss in OT environments can still disrupt operations.
Recommended defensive actions
- Upgrade M241 to version 5.3.12.51 or later using the supported Schneider Electric update path.
- Upgrade M251 to version 5.3.12.51 or later using the supported Schneider Electric update path.
- Upgrade M262 to version 5.3.9.18 or later using the supported Schneider Electric update path.
- Use EcoStruxure Automation Expert - Motion v2.3 or EcoStruxure Machine Expert v2.3, as applicable, to perform the firmware update and reboot the controller.
- If immediate patching is not possible, isolate controllers in protected networks and prevent exposure to untrusted networks or the public internet.
- Restrict or disable the webserver when it is not required for operations.
- Enforce strong user management and password controls on affected devices.
- Block unauthorized access to ports 80/HTTP and 443/HTTPS with segmentation and firewall rules, and use VPNs for approved remote access.
Evidence notes
All product and remediation statements are drawn from the CISA CSAF advisory ICSA-25-175-03 and its revision history. The advisory explicitly lists affected Schneider Electric Modicon M241, M251, and M262 versions, identifies CWE-20, and states that the issue can cause denial of service when an authenticated malicious user sends an HTTPS request containing invalid data type to the webserver. The source item and linked Schneider Electric notice provide the remediation and mitigation guidance. Published date used here is the CVE/source publication date of 2025-06-10; the 2025-07-08 modification reflects advisory updates, not the original issue date.
Official resources
-
CVE-2025-3898 CVE record
CVE.org
-
CVE-2025-3898 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory ICSA-25-175-03 on 2025-06-10 and updated on 2025-07-08 with remediation availability details.