Schneider Electric Modicon Controllers M241, M251, M258, and LMC058

View CSAF
Summary
Successful exploitation of this vulnerability may risk a Cross-site Scripting or an open redirect attack which could result in an account takeover scenario or the execution of code in the user browser.
The following versions of Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 are affected:

Modicon M241 versions prior to 5.4.13.12 Modicon_Controller_M241
Modicon M251 versions prior to 5.4.13.12 Modicon_Controller_M251
Modicon Controllers M258 all firmware versions Modicon_Controllers_M258
Modicon Controllers LMC058 all firmware versions Modicon_Controllers_LMC058





CVSS
Vendor
Equipment
Vulnerabilities




v3 5.4
Schneider Electric
Schneider Electric Modicon Controllers M241, M251, M258, and LMC058
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')




Background

Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: France


Vulnerabilities

Expand All +

CVE-2025-13902

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim's browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload.
View CVE Details

Affected Products
Schneider Electric Modicon Controllers M241, M251, M258, and LMC058

Vendor:Schneider Electric
Product Version:Schneider Electric Modicon M241 versions prior to 5.4.13.12: Modicon_Controller_M241, Schneider Electric Modicon M251 versions prior to 5.4.13.12: Modicon_Controller_M251, Schneider Electric Modicon Controllers M258 all firmware versions: Modicon_Controllers_M258, Schneider Electric Modicon Controllers LMC058 all firmware versions: Modicon_Controllers_LMC058
Product Status:known_affected


Remediations
MitigationSchneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure? Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure? Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/
MitigationSchneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure? Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure? Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.https://www.se.com/ww/en/download/document/EIO0000005500/
MitigationSchneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure? Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure? Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.https://www.se.com/ww/en/download/document/EIO0000003059/
MitigationSchneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure? Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure? Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER
MitigationModicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure? Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure? Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/
MitigationModicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure? Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure? Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.https://www.se.com/ww/en/download/document/EIO0000005500/
MitigationModicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure? Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure? Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.https://www.se.com/us/en/download/document/EIO0000003089/
MitigationModicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure? Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure? Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER
MitigationIf customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242.https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242
MitigationModicon Controllers M258 and Modicon Controllers LMC058: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242.https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242
MitigationFor more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-02 Improper Neutralization in Multiple Products - PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf. Improper Neutralization in Multiple Products - SEVD-2026-069-02 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json.https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf
MitigationFor more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-02 Improper Neutralization in Multiple Products - PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf. Improper Neutralization in Multiple Products - SEVD-2026-069-02 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json.https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json

Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metrics




CVSS Version
Base Score
Base Severity
Vector String




3.1
5.4
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N








Acknowledgments

Noam Moshe of Claroty reported this vulnerability to Schneider Electric Schneider Electric reported this vulnerability to CISA


Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

Revision History

Initial Release Date: 2026-03-19




Date
Revision
Summary




2026-03-19
1
Initial Republication of Schneider Electric CPCERT SEVD-2026-069-02




Legal Notice and Terms of Use

https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-02

2026-03-19 12:00 UTC
--- FMail-lnx 2.3.2.6-B20251227
* Origin: TCOB1 A Mail Only System (2:263/1)