Intelligence
highVulnerabilityActive

Critical XSS and DoS Vulnerabilities in Schneider Electric Modicon Industrial Controllers Expose OT Environments

Schneider Electric Modicon Controllers (M241, M251, M258, M262, LMC058) contain XSS/open redirect and denial-of-service vulnerabilities affecting web interfaces. Exploitation could lead to account takeover, browser-based code execution, or operational disruption in industrial environments.

S
Sebastion

Affected

Schneider Electric Modicon M241 (versions < 5.4.13.12)Schneider Electric Modicon M251 (versions < 5.4.13.12)Schneider Electric Modicon M258 (all firmware versions)Schneider Electric Modicon M262 (versions < 5.4.10.12)Schneider Electric Modicon LMC058 (all firmware versions)

Schneider Electric has disclosed multiple vulnerabilities affecting its Modicon controller line, a widely-deployed family of programmable logic controllers (PLCs) used in manufacturing, utilities, and critical infrastructure. Two distinct vulnerability classes are present: (1) XSS and Open Redirect (CVSS 5.3) affecting M241, M251, M258, and LMC058 controllers that could enable account takeover or malicious code execution within user browsers; and (2) Denial-of-Service (CVSS 5.3) affecting M241, M251, and M262 controllers that could disrupt operational availability.

The XSS/open redirect vector is particularly concerning because it targets the web-based management interfaces commonly used for remote configuration and monitoring of these controllers. Since these are OT environments, compromise of an operator's browser session could translate into unauthorized control of industrial processes. The open redirect component increases attack surface for phishing and credential harvesting against facility personnel.

Critically, M258 and LMC058 controllers report no patched firmware versions available, indicating vendors have not yet resolved these issues. This leaves all deployed instances vulnerable indefinitely. M241 and M251 operators have a clearer remediation path (upgrade to 5.4.13.12), while M262 users should target 5.4.10.12. However, firmware upgrades in OT environments require careful change management and downtime planning, creating real friction in deployment.

Defenders should: (1) audit network exposure of Modicon controller web interfaces, restricting access to authorized engineering networks; (2) enforce multi-factor authentication on administrator accounts; (3) apply available patches on a scheduled basis; (4) implement compensating controls such as WAF rules blocking suspicious redirects for M258/LMC058; (5) monitor for exploitation indicators (unusual session activity, browser-based reconnaissance). This vulnerability class demonstrates the persistent risk of insecure web interfaces in OT devices—a pattern repeated across industrial automation vendors.

The lack of vendor patches for M258/LMC058 suggests either legacy product status or ongoing development cycles, both problematic for organizations with extended infrastructure lifespans. Facilities running vulnerable controllers should plan hardware refresh or request emergency firmware updates from Schneider Electric support.

Sources

schneider-electricmodiconindustrial-control-systemsicsxssdenial-of-serviceweb-interfaceot-security
Back to intelligence