CVE-2018-7809
published 2018-11-30CVE-2018-7809: An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an…
PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.47%
82.5th percentile
An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the password delete function of the web server.
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://[ip]/unsecure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User↗
bytes↗
\x0\xa8\x0\x0\x0\x5\x0\x5a\x0\x7\x0
- →Monitor HTTP GET requests to /unsecure/embedded/builtin with query parameters 'submit=Delete%20Password' or 'subhttppwd=Save+User' — these indicate unauthenticated password delete/change attempts against Modicon PLC web servers. ↗
- →Alert on HTTP GET requests to /unsecure/embedded/builtin containing 'passwd=' parameters from unauthenticated sources, indicating CVE-2018-7811 unauthenticated password change exploitation. ↗
- →Detect incomplete HTTP requests (missing \r\n\r\n terminator) to port 80 on Modicon devices, which trigger a ~1 minute denial of service of the web server. ↗
- →Monitor TCP port 502 (Modbus) for the specific byte sequence \x00\xa8\x00\x00\x00\x05\x00\x5a\x00\x07\x00 which causes a complete shutdown of the Ethernet module. ↗
- →Detect use of known default FTP credentials on Modicon devices: sysdiag/factorycast@schneider, fdrusers/sresurdf, fwupgrade/FaAmU5p2F~, loki/ZfTljublsx. ↗
- ·The password reset via /unsecure/embedded/builtin also resets credentials to the default USER/USER, meaning post-exploitation the device may be accessible with default credentials. ↗
- ·No patches exist for these vulnerabilities; Schneider Electric only recommends network-level mitigations such as ACLs and firewalls. ↗
- ·The password change endpoint uses HTTP GET (not POST), meaning credentials are transmitted in the URL and no anti-CSRF token is required, making CSRF attacks trivially possible. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Tenable
Tenable Research Advisory: Multiple ICS Vulnerabilities in Schneider Modicon Quantum PLC
blogs_tenable·2018-11-27
Tenable Research Advisory: Multiple ICS Vulnerabilities in Schneider Modicon Quantum PLC
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Tenable Research Advisory: Multiple ICS Vulnerabilities in Schneider Modicon Quantum PLC
blogs_tenable·2018-11-27·CVSS 9.8
[CRITICAL] Tenable Research Advisory: Multiple ICS Vulnerabilities in Schneider Modicon Quantum PLC
Blog / Research
Subscribe
# Tenable Research Advisory: Multiple ICS Vulnerabilities in Schneider Modicon Quantum PLC
Tenable Research
November 27, 2018
4 Min Read
Tenable Research discovered multiple vulnerabilities in Schneider’s Modicon Quantum programmable logic controller. Schneider has recommended mitigations for impacted end users.
### Background
While examining a Schneider Modicon Quantum programmable logic controller (PLC) Tenable Research discovered several vulnerabilities.
The Modicon Quantum is used for complex process control, safety and infrastructure in industrial settings like manufacturing. Industrial control systems typically include a computer called a programmable logic controller (PLC). PLCs connect directly to instruments, for example valve and pump actuators a
Tenable
[R1] Multiple Schneider Electric Modicon Quantum Vulnerabilities
blogs_tenable·2018-11-26
[R1] Multiple Schneider Electric Modicon Quantum Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
arXiv
The Global State of Security in Industrial Control Systems: An Empirical Analysis of Vulnerabilities around the World
arxiv_fulltext·2021-11-27
The Global State of Security in Industrial Control Systems: An Empirical Analysis of Vulnerabilities around the World
The Global State of Security in Industrial Control Systems: An Empirical Analysis of Vulnerabilities around the World
Simon Daniel Duque Anton,
Daniel Fraunholz,
Daniel Krohmer,
Daniel Reti,
Daniel Schneider,
and Hans Dieter Schotten
This is a pre-print of a paper published in the IEEE Internet of Things Journal.
Please cite as: SD Duque Anton, D Fraunholz, D Krohmer, D Reti, D Schneider, and HD Schotten: The Global State of Security in Industrial Control Systems: An Empirical Analysis of Vulnerabilites around the World, IEEE Internet of Things Journal, May 2021
S. D. Duque Anton was with the German Research Center for Artificial Intelligence. He is now with the comlet Verteilte Systeme GmbH and with the University of Kaiserslautern.
D. Reti, D. Schneider and H. D. Schotten are with the G
2018-11-30
Published