CVE-2018-7760
📋 TL;DR
This vulnerability allows attackers to bypass authorization on Schneider Electric PLCs by sending crafted requests to CGI functions. It affects Modicon M340, Premium, Quantum PLCs and BMXNOR0200 modules. Attackers could gain unauthorized access to critical industrial control systems.
💻 Affected Systems
- Modicon M340
- Modicon Premium
- Modicon Quantum PLC
- BMXNOR0200
📦 What is this software?
140cpu31110 Firmware by Schneider Electric
140cpu31110c Firmware by Schneider Electric
140cpu43412u Firmware by Schneider Electric
140cpu43412uc Firmware by Schneider Electric
140cpu65150 Firmware by Schneider Electric
140cpu65150c Firmware by Schneider Electric
140cpu65160 Firmware by Schneider Electric
140cpu65160c Firmware by Schneider Electric
140cpu65160c Firmware by Schneider Electric
140cpu65160s Firmware by Schneider Electric
140cpu65260 Firmware by Schneider Electric
140cpu65260c Firmware by Schneider Electric
140cpu65860 Firmware by Schneider Electric
140cpu65860c Firmware by Schneider Electric
Bmxnor0200 Firmware by Schneider Electric
Bmxnor0200h Firmware by Schneider Electric
Modicon M340 Bmxp341000 Firmware by Schneider Electric
Modicon M340 Bmxp341000h Firmware by Schneider Electric
Modicon M340 Bmxp342000 Firmware by Schneider Electric
Modicon M340 Bmxp3420102 Firmware by Schneider Electric
Modicon M340 Bmxp3420102cl Firmware by Schneider Electric
View all CVEs affecting Modicon M340 Bmxp3420102cl Firmware →
Modicon M340 Bmxp342020 Firmware by Schneider Electric
Modicon M340 Bmxp342020h Firmware by Schneider Electric
Modicon M340 Bmxp3420302 Firmware by Schneider Electric
Modicon M340 Bmxp3420302cl Firmware by Schneider Electric
View all CVEs affecting Modicon M340 Bmxp3420302cl Firmware →
Modicon M340 Bmxp3420302h Firmware by Schneider Electric
View all CVEs affecting Modicon M340 Bmxp3420302h Firmware →
Tsxh5724m Firmware by Schneider Electric
Tsxh5724m Firmware by Schneider Electric
Tsxh5724mc Firmware by Schneider Electric
Tsxh5744m Firmware by Schneider Electric
Tsxh5744mc Firmware by Schneider Electric
Tsxh5744mc Firmware by Schneider Electric
Tsxp57104m Firmware by Schneider Electric
Tsxp57104mc Firmware by Schneider Electric
Tsxp57154m Firmware by Schneider Electric
Tsxp57154mc Firmware by Schneider Electric
Tsxp571634m Firmware by Schneider Electric
Tsxp571634mc Firmware by Schneider Electric
Tsxp57204m Firmware by Schneider Electric
Tsxp57204mc Firmware by Schneider Electric
Tsxp57254m Firmware by Schneider Electric
Tsxp57254mc Firmware by Schneider Electric
Tsxp572634m Firmware by Schneider Electric
Tsxp572634mc Firmware by Schneider Electric
Tsxp57304m Firmware by Schneider Electric
Tsxp57304mc Firmware by Schneider Electric
Tsxp57354m Firmware by Schneider Electric
Tsxp57354mc Firmware by Schneider Electric
Tsxp573634m Firmware by Schneider Electric
Tsxp573634mc Firmware by Schneider Electric
Tsxp57454m Firmware by Schneider Electric
Tsxp57454mc Firmware by Schneider Electric
Tsxp574634m Firmware by Schneider Electric
Tsxp574634mc Firmware by Schneider Electric
Tsxp57554m Firmware by Schneider Electric
Tsxp57554mc Firmware by Schneider Electric
Tsxp575634m Firmware by Schneider Electric
Tsxp575634mc Firmware by Schneider Electric
Tsxp576634m Firmware by Schneider Electric
Tsxp576634mc Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of industrial control systems allowing manipulation of physical processes, production disruption, or safety system interference.
Likely Case
Unauthorized access to PLC configuration and logic, enabling data theft, operational disruption, or installation of malicious code.
If Mitigated
Limited impact with proper network segmentation and access controls preventing exploitation attempts.
🎯 Exploit Status
Exploitation requires network access to the PLC's web interface but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware updates specified in Schneider Electric advisories SEVD-2018-081-02
Vendor Advisory: https://www.schneider-electric.com/en/download/document/SEVD-2018-081-02/
Restart Required: Yes
Instructions:
1. Download firmware update from Schneider Electric portal. 2. Backup PLC configuration. 3. Apply firmware update using appropriate programming software. 4. Restart PLC. 5. Verify firmware version.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLCs from untrusted networks using firewalls.
Disable Web Interface
allDisable web server functionality if not required for operations.
🧯 If You Can't Patch
- Implement strict network access controls allowing only trusted IPs to access PLC web interfaces.
- Monitor network traffic for unauthorized CGI function requests and implement intrusion detection.
🔍 How to Verify
Check if Vulnerable:
Check firmware version against patched versions in Schneider Electric advisory. Attempt to access CGI functions without authentication.Check Version:
Use Schneider Electric programming software (e.g., Unity Pro) to read PLC firmware version.Verify Fix Applied:
Verify firmware version matches patched version and test that CGI functions require proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to CGI functions in PLC logs
- Failed authentication logs followed by successful CGI requests
Network Indicators:
- HTTP requests to CGI endpoints without authentication headers
- Unusual traffic patterns to PLC web interfaces
SIEM Query:
source="plc_logs" AND (event="unauthorized_cgi_access" OR url="*.cgi")