Changeflow GovPing Data Privacy & Cybersecurity CISA ICS Advisory: Schneider Electric Modicon C...
Priority review Notice Added Final

CISA ICS Advisory: Schneider Electric Modicon Controllers Vulnerable

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Published March 19th, 2026
Detected March 19th, 2026
Email

Summary

CISA issued an advisory regarding vulnerabilities in Schneider Electric Modicon Controllers M241, M251, M258, and LMC058. Successful exploitation could lead to cross-site scripting or open redirect attacks, potentially resulting in account takeover or code execution.

View original document View source feed page

What changed

CISA has released an Industrial Control System (ICS) Advisory (ICSA-26-078-02) detailing vulnerabilities affecting Schneider Electric Modicon Controllers M241, M251, M258, and LMC058. The vulnerabilities, including CVE-2025-13902, are related to improper neutralization of input during web page generation (Cross-site Scripting). Successful exploitation could allow authenticated attackers to execute arbitrary JavaScript in a victim's browser, potentially leading to account takeover or code execution.

Affected products include specific firmware versions of M241 and M251, and all firmware versions of M258 and LMC058. Schneider Electric has provided a remediation by updating Modicon Controller M241 firmware to version 5.4.13.12, which is delivered with EcoStruxure™ Machine Expert v2.5.0.1. Users are advised to install the latest firmware and perform a reboot. The advisory highlights that these controllers are deployed worldwide across Critical Manufacturing, Energy, and Commercial Facilities sectors.

What to do next

  1. Update Modicon Controller M241 firmware to version 5.4.13.12 or later.
  2. Install EcoStruxure™ Machine Expert v2.5.0.1 on the engineering workstation.
  3. Perform a reboot of the affected controllers after updating firmware.

Source document (simplified)

ICS Advisory

Schneider Electric Modicon Controllers M241, M251, M258, and LMC058

Release Date

March 19, 2026

Alert Code ICSA-26-078-02 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF

Summary

Successful exploitation of this vulnerability may risk a Cross-site Scripting or an open redirect attack which could result in an account takeover scenario or the execution of code in the user browser.

The following versions of Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 are affected:

  • Modicon M241 versions prior to 5.4.13.12 ModiconControllerM241
  • Modicon M251 versions prior to 5.4.13.12 ModiconControllerM251
  • Modicon Controllers M258 all firmware versions ModiconControllersM258
  • Modicon Controllers LMC058 all firmware versions ModiconControllersLMC058

| CVSS | Vendor | Equipment | Vulnerabilities |
| --- | --- | --- | --- |
| v3 5.4 | Schneider Electric | Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |

Background

  • Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: France

Vulnerabilities

Expand All +

CVE-2025-13902

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim's browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload.

View CVE Details

Affected Products

Schneider Electric Modicon Controllers M241, M251, M258, and LMC058

Vendor:
Schneider Electric Product Version:
Schneider Electric Modicon M241 versions prior to 5.4.13.12: ModiconControllerM241, Schneider Electric Modicon M251 versions prior to 5.4.13.12: ModiconControllerM251, Schneider Electric Modicon Controllers M258 all firmware versions: ModiconControllersM258, Schneider Electric Modicon Controllers LMC058 all firmware versions: ModiconControllersLMC058 Product Status:
known_affected

Remediations

Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/

Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/EIO0000005500/

Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/EIO0000003059/

Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER

Mitigation
Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/

Mitigation
Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/EIO0000005500/

Mitigation
Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/us/en/download/document/EIO0000003089/

Mitigation
Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER

Mitigation
If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242.
https://download.schneider-electric.com/files?penDocType=User+guide&pFileName=EIO0000004242.00.pdf&pDoc_Ref=EIO0000004242

Mitigation
Modicon Controllers M258 and Modicon Controllers LMC058: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242.
https://download.schneider-electric.com/files?penDocType=User+guide&pFileName=EIO0000004242.00.pdf&pDoc_Ref=EIO0000004242

Mitigation
For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-02 Improper Neutralization in Multiple Products - PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf. Improper Neutralization in Multiple Products - SEVD-2026-069-02 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json.
https://download.schneider-electric.com/files?pDocRef=SEVD-2026-069-02&penDocType=Security+and+Safety+Notice&pFile_Name=SEVD-2026-069-02.pdf

Mitigation
For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-02 Improper Neutralization in Multiple Products - PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf. Improper Neutralization in Multiple Products - SEVD-2026-069-02 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json.
https://download.schneider-electric.com/files?pDocRef=SEVD-2026-069-02&penDocType=Security+and+Safety+Notice&pFile_Name=sevd-2026-069-02.json

Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metrics

| CVSS Version | Base Score | Base Severity | Vector String |
| --- | --- | --- | --- |
| 3.1 | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |

Acknowledgments

  • Noam Moshe of Claroty reported this vulnerability to Schneider Electric
  • Schneider Electric reported this vulnerability to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.

Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

Revision History

  • Initial Release Date: 2026-03-19

| Date | Revision | Summary |
| --- | --- | --- |
| 2026-03-19 | 1 | Initial Republication of Schneider Electric CPCERT SEVD-2026-069-02 |

Legal Notice and Terms of Use

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

  • Schneider Electric

Tags

Sector: Commercial Facilities Sector, Critical Manufacturing Sector, Energy Sector Topics: Industrial Control System Vulnerabilities, Industrial Control Systems

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Related Advisories

Mar 19, 2026

ICS Advisory | ICSA-26-078-08

Automated Logic WebCTRL Premium Server

Mar 19, 2026

ICS Advisory | ICSA-26-078-05

Mitsubishi Electric CNC Series

Mar 19, 2026

ICS Advisory | ICSA-26-078-01

Schneider Electric Modicon M241, M251, and M262

Mar 19, 2026

ICS Advisory | ICSA-26-078-03

Schneider Electric EcoStruxure Automation Expert

Named provisions

Summary Background Vulnerabilities Affected Products Remediations

Related changes

Favicon for www.cisa.gov CISA Adds Cisco Vulnerability CVE-2026-20131 to KEV Catalog
Urgent Mar 19, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA ICS Advisory: Schneider Electric Modicon Vulnerabilities
Priority review Mar 19, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA Adds Microsoft SharePoint Vulnerability to KEV Catalog
Urgent Mar 19, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.justice.gov DOJ Seizes Four Domains Used in Iranian Cyber Operations
Urgent Mar 20, 2026 DOJ News Courts & Legal
Favicon for www.cert.ssi.gouv.fr Microsoft Products Vulnerabilities
Priority review Mar 19, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr CERT-FR: Multiple vulnerabilities in Roundcube software
Priority review Mar 19, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
March 19th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
ICSA-26-078-02

Who this affects

Applies to
Manufacturers Energy companies Commercial Facilities
Industry sector
3345 Medical Device Manufacturing 2210 Electric Utilities 3114 Food & Beverage Manufacturing
Activity scope
Industrial Control System Management Vulnerability Remediation
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Industrial Control Systems Vulnerability Management

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 211 Consumer Protection 35 Courts & Legal 245 Data Privacy & Cybersecurity 59 Defense & National Security 48 Education 20 Energy 101 Energy & Utilities 1 Environment 82 Government & Legislation 240 Healthcare 116 Housing 15 Immigration 8 Insurance 56 Labor & Employment 110 Pharma & Drug Safety 77 Securities & Markets 73 Tax 49 Telecom & Technology 34 Trade & Sanctions 122 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Free. Unsubscribe anytime.