{"id":41733,"date":"2021-07-13T14:28:34","date_gmt":"2021-07-13T14:28:34","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/32460\/Armis-Discovers-Critical-Vulnerability-In-Schneider-Electric-Modicon-PLCs.html"},"modified":"2021-07-13T14:28:34","modified_gmt":"2021-07-13T14:28:34","slug":"armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/","title":{"rendered":"Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/www.armis.com\/wp-content\/uploads\/2021\/03\/Social-1200x627-1.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<h3 id=\"h-technical-findings-overview\">Technical findings overview<\/h3>\n<p>The discovered vulnerability (CVE-2021-22779) is a authentication bypass vulnerability that can be chained with additional vulnerabilities in the UMAS protocol that were discovered in the past but only partly mitigated. Armis researchers discovered (as we\u2019ll detail below) that while these additional vulnerabilities (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-7852\">CVE-2018-7852<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-6829\">CVE-2019-6829<\/a>) were categorized as denial-of-service, they can actually lead to native remote-code-execution. These vulnerabilities are essentially undocumented commands in the UMAS protocol, and Armis researchers discovered that instead of removing these commands from the protocol (maybe due to legacy dependencies), SE added an authentication mechanism around them to mitigate their risk. Unfortunately, this mechanism was found to be faulty, and thus in light of this latest discovery these commands will require a more fundamental fix to be fully mitigated.<\/p>\n<p>Due to the above, the following CVEs still impact latest firmware versions of Modicon M340 and M580 PLCs:<\/p>\n<ul>\n<li>CVE-2021-22779 \u2013 Authentication bypass vulnerability via UMAS command <em>MemoryBlockRead<\/em><\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-7852\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2018-7852<\/a> \u2013 Untrusted pointer dereference via UMAS command <em>PrivateMessage <\/em>(RCE)<\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-6829\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2019-6829<\/a> \u2013 Arbitrary memory write via UMAS command <em>WritePhysicalAddress <\/em>(RCE)<\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-7537\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2020-7537<\/a> \u2013 Arbitrary memory read via UMAS command <em>ReadPhysicalAddress <\/em>(Information leak)<\/li>\n<\/ul>\n<p>Additional Modicon models are currently considered not vulnerable, while Armis researchers continue analyzing their full impact.<\/p>\n<p>To fully understand the technical details of the findings described above, some background is required on the Modbus and UMAS protocols.<\/p>\n<h4 id=\"h-modbus\">Modbus<\/h4>\n<p>Modbus is the de facto standard for controlling PLCs in SCADA systems. It was first published by Modicon (now Schneider Electric) in 1979. Modbus was designed a long time ago and is missing features required by modern systems, such as transfer of binary objects to and from the PLC.<\/p>\n<p>Modbus can operate over serial communication or IP communication. The widely used IP version of Modbus is the Modbus\/TCP standard.<\/p>\n<p>Modicon chose to extend the Modbus implementation under a reserved Modbus function code. The extended protocol is called UMAS, and it adds authentication, binary data transfer, firmware updates, and additional features to the basic Modbus protocol.<\/p>\n<h4 id=\"h-umas\">UMAS<\/h4>\n<p>Modicon PLCs (M340, M580, and others) implement UMAS. UMAS re-implements standard Modbus commands and some necessary Modbus functions that are missing.<\/p>\n<p>For example, one of the proprietary UMAS commands is the MemoryBlockWrite command (function code 0x21), which does not require authentication.<\/p>\n<p>The command writes a chunk of binary data to an offset within a certain block ID. The blocks are located in fixed memory addresses, and are marked as writable or read-only blocks. When attempting to write on a read-only block, the MemoryBlockWrite command returns an error response.<\/p>\n<h5 id=\"h-umas-reservation-mechanisms\">UMAS Reservation Mechanisms<\/h5>\n<p>Certain changes to a PLC require multiple commands that depend on one another. To allow for such scenarios, Modicon implemented a reservation mechanism. The reservation mechanism was created to synchronize modifications of the PLC\u2019s program \u2013 a form of a global locking mechanism over certain critical changes. Once an engineering workstation successfully reserves a PLC over UMAS, it receives a one-byte token that is used to perform modifications to the PLC. This token allows the workstation to change any aspect of the application running on the PLC. UMAS commands that don\u2019t modify the PLC do not require this token and can take place without any authentication by the workstation. Since only one workstation can reserve the PLC at a time, this mechanism protects the PLC from overlapping modifications that can damage the PLC, the equipment it controls and the normal operation of the factory.<\/p>\n<p>The initial version of the reservation mechanism (we\u2019ll name this <em>basic reservation<\/em>) worked by utilizing a UMAS command with function code 0x10. This command did not require authentication, or challenge-response handshake, and relied on a hardcoded shared secret between the PLC and SE\u2019s managing software on the engineering workstation:<\/p>\n<p>The hardcoded secret used by this mechanism can be observed in the unencrypted UMAS traffic, or located by reverse engineering a Modicon PLC firmware.<\/p>\n<h5 id=\"h-enhanced-reservation\">Enhanced Reservation<\/h5>\n<p>Over time, security concerns were raised, and various undocumented UMAS commands were shown to allow remote-code-execution, or other malicious intent. SE decided to enhance the reservation mechanism, so it will not only act as a locking mechanism, but as an authentication mechanism as well.<\/p>\n<p>The Enhanced Reservation mechanism is based on a challenge-response handshake in which a shared password is authenticated. The shared password, called the <em>application password<\/em>, is dynamically set, when a project file is being uploaded to the PLC. The Enhanced Reservation mechanism utilizes the UMAS command with the function code 0x6E:<\/p>\n<p>In this command the workstation and the PLC are exchanging a randomly generated buffer of 0x20 bytes:<\/p>\n<p>A hash of these buffers, combined with the application password\u2019s hash is used to complete the reservation.<\/p>\n<p class=\"has-text-align-center\"><em>Decompiled code snippet from the umas_EnahcnedResvMngt command handler from a Modicon firmware<\/em><\/p>\n<p>As noted above, the secret shared key used in this mechanism is the hash of the password configured in the EcoStruxure software running on the Engineering Workstation. The EcoStruxure software encourages the user to configure a password upon creation of a new project. When a project file is transferred to the PLC the new application password is also configured on the PLC.<\/p>\n<p>In both versions of the reservation mechanism, a one byte token is sent in response upon a successful reservation, and this token will then be prepended to UMAS commands that require authentication.<\/p>\n<h4 id=\"h-bypassing-authentication-take-1-cve-2020-7537\">Bypassing Authentication \u2013 Take 1 (CVE-2020-7537)<\/h4>\n<p>Having reversed engineered the algorithm of the enhanced reservation mechanism, we wanted to see if we can leak the application password (or it\u2019s hash) via an undocumented UMAS command. Static analysis of the latest firmware (at the time) of the M340 PLC, revealed a suspicious UMAS command:<\/p>\n<p>The <em>pu_ReadPhysicalAddress <\/em>copies a memory chunk from a chosen address in the input command, to a response buffer. Other than simple validation of buffer sizes, the function poses no limitation on the address being read from the memory. Essentially this undocumented commands allows leaking all memory in the address space of the PLC.<\/p>\n<p class=\"has-text-align-center\"><em>Decompiled snippet from the pu_ReadPhysicalAddress command<\/em><\/p>\n<p>This command can be used to leak the hash of the <em>application password<\/em>, that is stored in the memory of the PLC, and used to reserve and manage a PLC by an unauthenticated attacker.<\/p>\n<p>In addition, a memory read command such as this can be used to leak sensitive information from the PLC that might relate to its operation, or even used as a denial of service primitive (!). Since there are no limitations on the address being read by this command, an attacker can abuse this command to crash the device by reading from certain hardware-specific addresses that will cause drivers on the PLC to be out-of-sync with the hardware. This can lead to various edge cases that can result in denial of service. When a PLC crashes in such a way it will not return quickly to normal operation \u2013&nbsp; a physical button needs to be pushed by an operator to restart the device.<\/p>\n<p class=\"has-text-align-center\"><em>Wireshark capture of an application password hash being leaked via the ReadPhysicalAddress UMAS command<\/em><\/p>\n<p>This vulnerability was reported to SE in November 2020, and was disclosed in a <a href=\"https:\/\/www.se.com\/ww\/en\/download\/document\/SEVD-2020-343-08\/\" target=\"_blank\" rel=\"noreferrer noopener\">security advisory<\/a> December 2020. The patch introduced by SE to resolve this issue defined the <em>ReadPhysicalAddress<\/em> command as one that requires reservation \u2013 leveraging the mechanism to fend off this attack. While this did mitigate this authentication bypass, it did not fully resolve the underline risks in this command \u2013 since it might still be triggered if the project file in use is password-less.<\/p>\n<h4 id=\"h-bypassing-authentication-take-2-cve-2021-22779\">Bypassing Authentication \u2013 Take 2 (CVE-2021-22779)<\/h4>\n<p>To better understand the UMAS messages flow of the Enhanced Reservation mechanism we connected to the PLC with the EcoStruxure software and analyzed the traffic it created. We noticed something interesting: when the correct password was typed into the EcoStruxure software some UMAS commands were generated as expected, but when an incorrect password was typed the software rejected the password without generating any traffic with the PLC.<\/p>\n<p>This raised the question \u2013 how does the EcoStruxure software know the password is incorrect without communicating with the PLC? To answer this question we analyzed the UMAS commands sent by the workstation <strong>before<\/strong> the password is entered. One of the commands used by the workstation was the <em>MemoryBlockRead <\/em>command \u2013 that allows reading preconfigured blocks from memory, without authentication (similar to the <em>MemoryBlockWrite <\/em>command). Unlike the <em>ReadPhysicalAddress <\/em>command, the block IDs limit the access of the memory to certain fixed memory addresses.<\/p>\n<p class=\"has-text-align-center\"><em>The structure of UMAS command used to read predefined memory blocks from the PLC<\/em><\/p>\n<p>Nevertheless, it appears the software uses this command, <strong>pre-reservation,<\/strong> to read the hash of the password from the PLC, and validate if the password entered by the user is correct. Needless to say, this mechanism is fundamentally flawed \u2013 the password hash is both passed over an unencrypted protocol, and can also be read by any unauthenticated attacker that simply implements the memory block read command.<\/p>\n<p>While the EcoStruxure software uses the memory read command to validate the password hash \u2013 an unauthenticated attacker can simply use the read password hash to bypass the authentication mechanism of the Enhanced Reservation altogether.<\/p>\n<p class=\"has-text-align-center\"><em>Simple script that implements this authentication bypass technique (certain details have been censored)<\/em><\/p>\n<h4 id=\"h-from-authentication-bypass-to-rce\">From Authentication Bypass to RCE<\/h4>\n<p>As described above, two undocumented UMAS commands where found in the past to lead to denial-of-service \u2013 the UMAS command <em>WritePhysicalAddress<\/em> (function code 0x29, CVE-2019-6829), and <em>PrivateMessage<\/em> (function code 0x6D, CVE-2018-7852). As we\u2019ll show below, the two can actually lead to remote-code-execution.<\/p>\n<h5 id=\"h-arbitrary-memory-write\">Arbitrary Memory Write<\/h5>\n<p>The command <em>WritePhysicalAddress <\/em>is the write equivalent for the <em>ReadPhysicalAddress<\/em> command described above. This command allows arbitrary write to any address in the PLC memory, with a data buffer supplied in the input buffer. While in the latest firmware version this command is inaccessible when an <em>application password<\/em> is in use, it can still be triggered if a <em>downgrade attack<\/em> is performed after the reservation mechanism has been bypassed (more on that in a bit) \u2013 or if an <em>application password<\/em> is never set in the first place.<\/p>\n<p class=\"has-text-align-center\"><em>The WritePhysicalAddress command handler (the test variable represents the current reservation mode)<\/em><\/p>\n<p>While it is clear why this command can lead to denial-of-service (by altering memory with arbitrary data), it is unclear why this vulnerability was not categorized as remote-code-execution. Altering memory in an attacker-controlled address with an attacker-controlled payload is probably the easiest exploitation path there is to RCE. Numerous&nbsp; function pointers, stack variables, or C++ vtable pointers reside in memory that can be altered, and shift the execution state from its original state. Using these to then reach attacker-controlled code can be done using ROP techniques. A similar exploit was developed by Armis researchers when an exploit utilizing the URGENT\/11 was demonstrated to impact Modicon PLCs in a <a href=\"https:\/\/info.armis.com\/rs\/645-PDC-047\/images\/Armis-URGENT11-on-OT-WP.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">whitepaper<\/a> (page 20) from December 2020.<\/p>\n<h5 id=\"h-remote-procedure-call-rpc-a-k-a-privatemessage\">Remote Procedure Call (RPC, a.k.a <em>PrivateMessage<\/em>)<\/h5>\n<p>The second undocumented command \u2013 <em>PrivateMessage<\/em> is a command that triggers internal functions in the PLC, by accessing C++ objects pointed by a pointer provided in the input buffer, and than triggering a callback function from these parsed objects. It is unclear what is the commercial use for this specific command, but it is clear it can lead to denial-of-service when the passed pointer does not point to a valid C++ object in the PLCs memory.<\/p>\n<p>Turning this vulnerability to an RCE is only a bit more complex. A valid structure of a C++ object can be uploaded to the PLC memory via the <em>MemoryBlockWrite<\/em> command to a known address in memory. Then the <em>PrivateMessage <\/em>command can be sent \u2013 triggering a call to a function within the vtable of the C++ object controlled by the attacker. Similar to the steps detailed above, reaching attacker-controlled code by controlling the PC of the program is only a matter of connecting the dots via several ROP gadgets.<\/p>\n<h5 id=\"h-downgrade-attack\">Downgrade Attack<\/h5>\n<p>Schneider Electric\u2019s fix for both undocumented commands shown above was similar \u2013 disabling them completely when an <em>application password <\/em>is in use. However, when it isn\u2019t in use, these commands remain accessible, perhaps to retain some legacy compatibility with tools that use these commands.<\/p>\n<p>However, by exploiting the authentication bypass vulnerability (such as CVE-2021-22779) an attacker can downgrade the PLC\u2019s security by uploading a new project file with no password configured. Once this downgrade attack is done, the undocumented commands detailed above can nevertheless be used by attackers to gain native code execution.<\/p>\n<p>The attack steps are as follow:<\/p>\n<ol>\n<li>Bypass the authentication with CVE-2021-22779 and reserve the PLC<\/li>\n<li>Upload a new project file with no application password configured<\/li>\n<li>Release the PLC reservation and disconnect from the device<\/li>\n<li>Reconnect to the PLC with the basic reservation method, no password is needed<\/li>\n<\/ol>\n<p>Reach code execution by exploiting one of the undocumented commands that can reach RCE (<em>WritePhysicalAddress<\/em>, or <em>PrivateMessage<\/em>)<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/32460\/Armis-Discovers-Critical-Vulnerability-In-Schneider-Electric-Modicon-PLCs.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":41734,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[968],"class_list":["post-41733","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlineflaw"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-13T14:28:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"627\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs\",\"datePublished\":\"2021-07-13T14:28:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/\"},\"wordCount\":2128,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs.jpg\",\"keywords\":[\"headline,flaw\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/\",\"name\":\"Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs.jpg\",\"datePublished\":\"2021-07-13T14:28:34+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs.jpg\",\"width\":1200,\"height\":627},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,flaw\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlineflaw\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/","og_locale":"en_US","og_type":"article","og_title":"Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-07-13T14:28:34+00:00","og_image":[{"width":1200,"height":627,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs","datePublished":"2021-07-13T14:28:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/"},"wordCount":2128,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs.jpg","keywords":["headline,flaw"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/","url":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/","name":"Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs.jpg","datePublished":"2021-07-13T14:28:34+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs.jpg","width":1200,"height":627},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/armis-discovers-critical-vulnerability-in-schneider-electric-modicon-plcs\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,flaw","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlineflaw\/"},{"@type":"ListItem","position":3,"name":"Armis Discovers Critical Vulnerability In Schneider Electric Modicon PLCs"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=41733"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41733\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/41734"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=41733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=41733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=41733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}