A critical and unpatched remote code execution vulnerability in Schneider Electric’s programmable logic controllers (PLCs) could allow attackers to take control of its various industrial systems, Armis security researchers have warned.
Schneider Electric’s line of Modicon controllers was one of the first PLC products on the market, and its function was to connect industrial equipment, from oil and gas pipelines to manufacturing systems and water purification facilities, into a network. But the study found a more serious vulnerability in the product: that could allow anyone to take control of the device by using hidden commands to bypass authentication.
“Armis researchers discovered that these commands can be used to take over a PLC and gain native code execution on the device that can be used to change the operation of the PLC while hiding changes from the engineering workstation that manages the PLC. This attack is an unidentified attack. An authenticated attack requires only network access to the target PLC,” said the information security analyst.
The vulnerability, dubbed “ModiPwn,” is claimed by Schneider Electric to be patched. Armis researchers have found that these patches only work if an app password is set, and we’ve found multiple ways to bypass the password, allowing everyone to open it again, even on the latest software versions this loophole.
To make matters worse, the vulnerability, originally classified as causing a denial of service (DoS) attack, was found to allow remote code execution — meaning an unauthenticated attacker could take full control of the PLC and, in turn, any software it uses. Industrial equipment.
Schneider Electric confirmed the vulnerabilities and promised to release a patch by the end of the year. However, for Schneider Electric customers, even with the patch installed, the devices need to be further verified to be safe.