CVE-2021-22731
📋 TL;DR
This vulnerability allows remote attackers to change passwords on Modicon Managed Switches without authentication when basic user information is known. Attackers can gain unauthorized access to network infrastructure devices. Affects Modicon MCSESM* and MCSESP* switches running vulnerable firmware.
💻 Affected Systems
- Modicon Managed Switch MCSESM*
- Modicon Managed Switch MCSESP*
📦 What is this software?
Mcsesm043f23f0 Firmware by Schneider Electric
Mcsesm053f1cs0 Firmware by Schneider Electric
Mcsesm053f1cu0 Firmware by Schneider Electric
Mcsesm063f2cs0 Firmware by Schneider Electric
Mcsesm063f2cu0 Firmware by Schneider Electric
Mcsesm083f23f0 Firmware by Schneider Electric
Mcsesm083f23f0h Firmware by Schneider Electric
Mcsesm093f1cs0 Firmware by Schneider Electric
Mcsesm093f1cu0 Firmware by Schneider Electric
Mcsesm103f2cs0 Firmware by Schneider Electric
Mcsesm103f2cs0h Firmware by Schneider Electric
Mcsesm103f2cu0 Firmware by Schneider Electric
Mcsesm103f2cu0h Firmware by Schneider Electric
Mcsesm123f2lg0 Firmware by Schneider Electric
Mcsesp083f23g0 Firmware by Schneider Electric
Mcsesp083f23g0t Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete network compromise where attackers gain administrative access to switches, enabling traffic interception, network disruption, and lateral movement to other systems.
Likely Case
Unauthorized access to switch management interfaces leading to configuration changes, network monitoring, or denial of service attacks.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external attackers from reaching management interfaces.
🎯 Exploit Status
Exploitation requires only basic user information and HTTP/HTTPS access to the management interface. No authentication needed for the password change request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V8.22 or later
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-01
Restart Required: Yes
Instructions:
1. Download firmware V8.22 or later from Schneider Electric portal. 2. Backup current configuration. 3. Upload new firmware via web interface or CLI. 4. Reboot switch. 5. Verify firmware version and functionality.
🔧 Temporary Workarounds
Disable HTTP/HTTPS Management
allDisable web-based management interfaces and use only secure console or SSH access.
configure terminal
no ip http server
no ip http secure-server
Network Segmentation
allRestrict access to switch management interfaces using firewall rules or VLAN segmentation.
access-list 100 deny tcp any any eq 80
access-list 100 deny tcp any any eq 443
access-list 100 permit ip any any
🧯 If You Can't Patch
- Implement strict network access controls to limit HTTP/HTTPS access to switch management interfaces only from trusted administrative networks.
- Enable multi-factor authentication if supported, or implement compensating controls like network monitoring for unauthorized password change attempts.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > About) or CLI command 'show version'. If version is V8.21 or earlier, device is vulnerable.Check Version:
show versionVerify Fix Applied:
Verify firmware version is V8.22 or later. Test password recovery mechanism requires proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual password change requests
- HTTP POST requests to password recovery endpoints from unauthorized IPs
- Multiple failed login attempts followed by password reset
Network Indicators:
- HTTP/HTTPS traffic to switch management interfaces from non-admin networks
- Unusual patterns in password reset requests
SIEM Query:
source_ip NOT IN admin_networks AND (url_path CONTAINS 'password' OR url_path CONTAINS 'reset') AND destination_port IN (80,443)