CVE-2021-22792
📋 TL;DR
A NULL pointer dereference vulnerability in Schneider Electric Modicon PLC controllers and simulators allows denial of service attacks when processing specially crafted project files. This affects multiple Modicon PLC models and their simulation software across all versions. Industrial control systems using these devices are vulnerable to disruption.
💻 Affected Systems
- Modicon M580 CPU (BMEP*, BMEH*)
- Modicon M340 CPU (BMXP34*)
- Modicon MC80 (BMKC80*)
- Momentum Ethernet CPU (171CBU*)
- Modicon Quantum CPU (140CPU*)
- Modicon Premium CPU (TSXP5*)
- PLC Simulator for EcoStruxure Control Expert (Unity Pro)
- PLC Simulator for EcoStruxure Process Expert (HDCS)
📦 What is this software?
Modicon M340 Bmxp341000 by Schneider Electric
Modicon M340 Bmxp342010 by Schneider Electric
Modicon M340 Bmxp342020 by Schneider Electric
Modicon M340 Bmxp342030 by Schneider Electric
Modicon M580 Bmeh582040 by Schneider Electric
Modicon M580 Bmeh582040c by Schneider Electric
Modicon M580 Bmeh582040s by Schneider Electric
Modicon M580 Bmeh584040 by Schneider Electric
Modicon M580 Bmeh584040c by Schneider Electric
Modicon M580 Bmeh584040s by Schneider Electric
Modicon M580 Bmeh586040 by Schneider Electric
Modicon M580 Bmeh586040c by Schneider Electric
Modicon M580 Bmeh586040s by Schneider Electric
Modicon M580 Bmep581020 by Schneider Electric
Modicon M580 Bmep581020h by Schneider Electric
Modicon M580 Bmep582020 by Schneider Electric
Modicon M580 Bmep582020h by Schneider Electric
Modicon M580 Bmep582040 by Schneider Electric
Modicon M580 Bmep582040h by Schneider Electric
Modicon M580 Bmep582040s by Schneider Electric
Modicon M580 Bmep583020 by Schneider Electric
Modicon M580 Bmep583040 by Schneider Electric
Modicon M580 Bmep584020 by Schneider Electric
Modicon M580 Bmep584040 by Schneider Electric
Modicon M580 Bmep584040s by Schneider Electric
Modicon M580 Bmep585040 by Schneider Electric
Modicon M580 Bmep585040c by Schneider Electric
Modicon M580 Bmep586040 by Schneider Electric
Modicon M580 Bmep586040c by Schneider Electric
Modicon Mc80 Bmkc8020301 by Schneider Electric
Modicon Mc80 Bmkc8020310 by Schneider Electric
Modicon Mc80 Bmkc8030311 by Schneider Electric
Modicon Momentum 171cbu78090 by Schneider Electric
Modicon Momentum 171cbu98090 by Schneider Electric
Modicon Momentum 171cbu98091 by Schneider Electric
Modicon Premium Tsxp57 1634m by Schneider Electric
Modicon Premium Tsxp57 2634m by Schneider Electric
Modicon Premium Tsxp57 2834m by Schneider Electric
Modicon Premium Tsxp57 454m by Schneider Electric
Modicon Premium Tsxp57 4634m by Schneider Electric
Modicon Premium Tsxp57 554m by Schneider Electric
Modicon Premium Tsxp57 5634m by Schneider Electric
Modicon Premium Tsxp57 6634m by Schneider Electric
Modicon Quantum 140cpu65150 by Schneider Electric
Modicon Quantum 140cpu65150c by Schneider Electric
Modicon Quantum 140cpu65160 by Schneider Electric
Modicon Quantum 140cpu65160c by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service causing PLC controller to crash, disrupting industrial processes and potentially causing safety incidents or production downtime.
Likely Case
Temporary denial of service requiring controller restart, causing brief production interruptions in industrial environments.
If Mitigated
No impact if proper network segmentation and file validation controls prevent malicious project files from reaching controllers.
🎯 Exploit Status
Requires ability to upload specially crafted project file to controller. Likely requires engineering workstation compromise or insider threat.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Contact Schneider Electric for specific firmware updates
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-222-07
Restart Required: Yes
Instructions:
1. Review Schneider Electric security advisories SEVD-2021-222-04 and SEVD-2021-222-07. 2. Contact Schneider Electric support for firmware updates specific to your PLC model. 3. Schedule maintenance window for firmware update. 4. Backup current configuration. 5. Apply firmware update following vendor instructions. 6. Restart controller. 7. Verify functionality.
🔧 Temporary Workarounds
Restrict Project File Uploads
allImplement strict controls on who can upload project files to PLC controllers and from which engineering workstations.
Network Segmentation
allIsolate PLC controllers and engineering workstations in separate network segments with strict firewall rules.
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized project file uploads to PLC controllers
- Monitor for abnormal project file upload attempts and controller restart events
🔍 How to Verify
Check if Vulnerable:
Check if you have any affected Modicon PLC models or simulation software installed. Review device part numbers against affected list.Check Version:
Use EcoStruxure Control Expert or Process Expert software to check PLC firmware version, or check device labels for part numbers.Verify Fix Applied:
Contact Schneider Electric to confirm your specific firmware version addresses CVE-2021-22792. Verify controller operates normally after applying updates.📡 Detection & Monitoring
Log Indicators:
- Unexpected controller restarts
- Failed project file upload attempts
- Abnormal engineering workstation activity
Network Indicators:
- Unusual project file transfers to PLC controllers
- Engineering protocol traffic from unexpected sources
SIEM Query:
source="plc-controller" AND (event="restart" OR event="file_upload_failed") OR source="engineering-workstation" AND process="control_expert.exe" AND action="upload_project"