Schneider Modicon Controllers M241/M251/M258/LMC058 Externally Controlled Reference to a Resource in Another Sphere (CVE-2025-2875)

high Tenable OT Security Plugin ID 503267

Synopsis

The remote OT asset is affected by a vulnerability.

Description

CWE-610: Externally Controlled Reference to a Resource in Another Sphere vulnerability exists that could cause a loss of confidentiality when an unauthenticated attacker manipulates controller's webserver URL to access resources.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

Schneider Electric Modicon Controllers M241/M251 versions prior to 5.3.12.48: Version 5.3.12.48 of Modicon Controllers M241/M251 includes a fix for this vulnerability. Please use the following instructions:

- Use the Controller Assistant feature of EcoStruxure Automation Expert – Motion V24.1 to update the M241/M251 firmware and perform a reboot.
- Please install EcoStruxure Automation Expert – Motion V24.1 via the Schneider Electric Software Installer, available at the following link: https://www.se.com/us/en/product-range/2226-ecostruxuremachine-expert-software/#software-and-firmware

Additional information is available in the Quick Start Guide, chapter 'EcoStruxure Automation Expert Platform Installation'.

Schneider Electric Modicon Controllers M241/M251 versions prior to 5.3.12.48: If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:

- Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks.
- Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use.
- Deactivate the Webserver after use when not needed.
- Use encrypted communication links when available.
- Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS.
- Use VPN (Virtual Private Networks) tunnels if remote access is required.
- The 'Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment' provide product specific hardening guidelines. To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric's security notification service here: https://www.se.com/en/work/support/cybersecurity/securitynotifications.jsp

Schneider Electric Modicon Controllers M258/LMC058 all versions: Schneider Electric is establishing a remediation plan for all future versions of Modicon M258/LMC058 that will include a fix for this vulnerability. Schneider Electric will update this document when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:

- Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks.
- Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use.
- Deactivate the Webserver after use when not needed.
- Use encrypted communication links when available.
- Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS.
- Use VPN (Virtual Private Networks) tunnels if remote access is required.
- The 'Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon, and PacDrive Controllers and Associated Equipment' provide product specific hardening guidelines. To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric's security notification service here: https://www.se.com/en/work/support/cybersecurity/securitynotifications.jsp

The following product versions have been fixed:

- Modicon Controllers M241 version 5.3.12.48 is a fixed version for CVE-2025-2875
- Modicon Controllers M251 version 5.3.12.48 is a fixed version for CVE-2025-2875

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-133-01

See Also

https://www.se.com/us/en/download/document/7EN52-0390/

http://www.nessus.org/u?cc75adc7

https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-08

Plugin Details

Severity: High

ID: 503267

Version: 1.1

Type: remote

Family: Tenable.ot

Published: 6/5/2025

Updated: 6/5/2025

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vulnerability Information

CPE: cpe:/o:schneider-electric:modicon_m251_series_firmware, cpe:/o:schneider-electric:modicon_m241_series_firmware, cpe:/o:schneider-electric:modicon_m258_series_firmware, cpe:/o:schneider-electric:modicon_controllers_lmc058_firmware

Required KB Items: Tenable.ot/Schneider

Exploit Ease: No known exploits are available

Patch Publication Date: 5/13/2025

Vulnerability Publication Date: 5/13/2025

Reference Information

CVE: CVE-2025-2875

ICSA: 25-140-08