CVE-2020-7535
📋 TL;DR
This path traversal vulnerability in Schneider Electric Modicon PLC web servers allows attackers to access restricted files by sending specially crafted HTTP requests. It affects Modicon M340, Quantum, and Premium PLCs and associated communication modules. Successful exploitation could lead to unauthorized information disclosure.
💻 Affected Systems
- Modicon M340
- Modicon Quantum
- Modicon Premium
- Associated Communication Modules
📦 What is this software?
140cpu65150 Firmware by Schneider Electric
140cpu65160 Firmware by Schneider Electric
140noc77101 Firmware by Schneider Electric
140noc78000 Firmware by Schneider Electric
140noc78100 Firmware by Schneider Electric
140noe77101 Firmware by Schneider Electric
140noe77111 Firmware by Schneider Electric
Bmxnoe0100 Firmware by Schneider Electric
Bmxnoe0110 Firmware by Schneider Electric
Modicon M340 Bmxp341000 Firmware by Schneider Electric
Modicon M340 Bmxp342000 Firmware by Schneider Electric
Modicon M340 Bmxp3420102 Firmware by Schneider Electric
Modicon M340 Bmxp3420102cl Firmware by Schneider Electric
View all CVEs affecting Modicon M340 Bmxp3420102cl Firmware →
Modicon M340 Bmxp342020 Firmware by Schneider Electric
Modicon M340 Bmxp3420302 Firmware by Schneider Electric
Modicon M340 Bmxp3420302cl Firmware by Schneider Electric
View all CVEs affecting Modicon M340 Bmxp3420302cl Firmware →
Tsxety4103 Firmware by Schneider Electric
Tsxety5103 Firmware by Schneider Electric
Tsxp574634 Firmware by Schneider Electric
Tsxp575634 Firmware by Schneider Electric
Tsxp576634 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through access to sensitive configuration files, credentials, or firmware, potentially enabling further attacks on industrial control systems.
Likely Case
Disclosure of sensitive information including configuration data, network settings, and potentially credentials stored on the PLC.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external attackers from reaching vulnerable systems.
🎯 Exploit Status
Path traversal vulnerabilities typically have low exploitation complexity; no authentication required to exploit
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to vendor advisory SEVD-2020-343-05 for specific patched versions
Vendor Advisory: https://www.se.com/ww/en/download/document/SEVD-2020-343-05/
Restart Required: Yes
Instructions:
1. Download firmware updates from Schneider Electric website. 2. Follow vendor instructions for PLC firmware update procedure. 3. Apply updates to all affected PLCs and communication modules. 4. Restart affected devices.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLCs from untrusted networks and restrict HTTP access
Access Control Lists
allImplement firewall rules to restrict HTTP access to PLC web interfaces
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PLCs from untrusted networks
- Disable web server functionality if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check PLC firmware version against vendor advisory; test with controlled path traversal attempts if authorizedCheck Version:
Check PLC firmware version via web interface or programming softwareVerify Fix Applied:
Verify firmware version matches patched version from vendor advisory; retest vulnerability if authorized📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests with directory traversal patterns
- Multiple failed attempts to access restricted paths
Network Indicators:
- HTTP requests containing '../' sequences or similar path traversal patterns to PLC IPs
SIEM Query:
source_ip="PLC_IP" AND http_uri CONTAINS "../" OR http_uri CONTAINS "..\\"