⚡ TL;DR | Go Straight to the Schneider Electric Vulnerability Report
Security researchers have found two vulnerabilities affecting Schneider Electric Modicon programmable logic controllers (PLCs). By chaining the vulnerabilities, attackers could achieve deep lateral movement in OT networks. This would in turn allow them to carry out highly granular and stealthy manipulations or to override functional and safety limitations.
CVE-2022-45788 and CVE-2022-45789
The two Schneider Electric vulnerabilities are an improper check for unusual or exceptional conditions vulnerability (CVE-2022-45788) and an authentication bypass by capture-replay vulnerability. They received CVSS scores of 7.5 and 8.1 respectively, making them both high severity. Separately, these vulnerabilities could already carry serious risks. CVE-2022-45788 could cause arbitrary code execution, denial of service, and loss of confidentiality & integrity when a malicious project file is loaded onto the controller. CVE-2022-45789 could lead to the execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session.
However, when chained together, they also allow an attacker to achieve deep lateral movement. As Forescout describes it: «Deep lateral movement lets attackers gain deep access to industrial control systems and cross often overlooked security perimeters, allowing them to perform highly granular and stealthy manipulations as well as override functional and safety limitations.» Essentially, deep lateral movement allows attackers to use an uninteresting device as a starting point to gain access to more interesting targets.
Update Vulnerable Devices
Both CVE-2022-45788 and CVE-2022-45789 affect multiple devices. Schneider Electric has put out advisories for both vulnerabilities (CVE-2022-45788 and CVE-2022-45789). They list all affected devices, as well as the necessary steps to protect yourself against the vulnerabilities described above, and links to the necessary patches.
Affected Products | Affected Versions | Vulnerable to |
EcoStruxure™ Control Expert | All Versions | CVE-2022-45788, CVE-2022-45789 |
EcoStruxure™ Process Expert | Version V2020 & prior | CVE-2022-45788, CVE-2022-45789 |
Modicon M340 CPU (part numbers BMXP34*) | All Versions | CVE-2022-45788, CVE-2022-45789 |
Modicon M580 CPU (part numbers BMEP* and BMEH*) | All Versions | CVE-2022-45788, CVE-2022-45789 |
Modicon M580 CPU Safety (part numbers BMEP58S and BMEH58S) | All Versions | CVE-2022-45788, CVE-2022-45789 |
Modicon Momentum Unity M1E Processor (171CBU*) | All Versions | CVE-2022-45788 |
Modicon MC80 (BMKC80) | All Versions | CVE-2022-45788 |
Legacy Modicon Quantum (140CPU65) and Premium CPUs (TSXP57) | All Versions | CVE-2022-45788 |
Discover Vulnerable Schneider Electric Modicon PLCs
Many of the affected devices are Modicon PLCs. Based on the information shared by Schneider Electric, our experts have created a specialized Lansweeper Cloud report using the new Lansweeper OT scanner to help you identify these PLCs in your environment. This way you have an actionable list of devices that may still need your intervention.