Description
A CWE-200: Information Exposure vulnerability exists that could cause the exposure of sensitive information stored on the memory of the controller when communicating over the Modbus TCP protocol. Affected Products: Modicon M340 CPU (part numbers BMXP34*) (Versions prior to V3.30), Modicon M580 CPU (part numbers BMEP* and BMEH*) (Versions prior to SV3.20), Modicon MC80 (BMKC80) (Versions prior to V1.6), Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (All Versions), Modicon Momentum MDI (171CBU*) (Versions prior to V2.3), Legacy Modicon Quantum (All Versions)
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected products
- Schneider Electric / Legacy Modicon QuantumAll Versions – All Versions
- Schneider Electric / Modicon M340 CPU (part numbers BMXP34*)All – V3.30
- Schneider Electric / Modicon M580 CPU (part numbers BMEP* and BMEH*)All – V3.20
- Schneider Electric / Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)All Versions – All Versions
- Schneider Electric / Modicon MC80 (BMKC80)All – V1.6
- Schneider Electric / Modicon Momentum CPU (171CBU*)All – V2.3