The vulnerability of Modicon microprogrammed controllers lies in the lack of checks for the integrity of updates to the embedded software. This allows a malicious actor to download the updated embedded software with an invalid web server URL via FTP, thereby causing a service failure.

🗓️ 25 Nov 2019 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 1 Views

Modicon controllers lack integrity checks for firmware updates, enabling invalid URL FTP updates and service failure.

Reporter	Title	Published	Views	Family All 11
CNVD	Schneider Electric Modicon M580/M340/BMxCRA/140CRA Denial of Service Vulnerability (CNVD-2019-41497)	30 Oct 201900:00	–	cnvd
CVE	CVE-2019-6842	29 Oct 201914:47	–	cve
Cvelist	CVE-2019-6842	29 Oct 201914:47	–	cvelist
EUVD	EUVD-2019-16396	7 Oct 202500:30	–	euvd
NVD	CVE-2019-6842	29 Oct 201919:15	–	nvd
Tenable Nessus	Schneider-electric Modicon Improper Handling of Exceptional Conditions	8 Nov 201900:00	–	nessus
Tenable Nessus	Schneider Electric Modicon Improper Handling of Exceptional Conditions (CVE-2019-6842)	7 Feb 202200:00	–	nessus
Prion	Design/Logic Flaw	29 Oct 201919:15	–	prion
RedhatCVE	CVE-2019-6842	22 May 202506:34	–	redhatcve
Talos	Schneider Electric Modicon M580 FTP incomplete firmware update denial-of-service vulnerability	8 Oct 201900:00	–	talos

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2019-6842
schneider-electric	www.schneider-electric.com/en/download/document/SEVD-2019-281-02/
nvd	www.nvd.nist.gov/vuln/detail
schneider-electric	www.schneider-electric.com/en/download/document/SEVD-2019-281-02

25 Nov 2019 00:00Current

5.6Medium risk

Vulners AI Score5.6

CVSS 34.9

CVSS 26.8

EPSS0.00959

modicon controllers firmware updates file transfer protocol invalid url web server url service failure integrity checks