0-day Vulnerabilities leave thousands of Schneider Electric PLCs exposed to a hostile take-over and sensitive data interception


November 21, 2018 | Written by: Maureen Pushinsky

#CVE-2018-7798, #SEVD-2018-270-01, #PLCHijacking, #CRITIFENCE, #Cyber, #Security, #cybersecurity, #SCADA, #ICS, #OT, #IioT, #CI, #Critical, #Infrastructure, #criticalinfrastructure



Security researchers at CRITIFENCE Technologies and ICS-CERT publicly announced this week (November 20, 2018) major cyber security vulnerabilities affecting one of the world’s largest manufacturer of SCADA and Industrial Control Systems, Schneider Electric.

The zero-day vulnerabilities, dubbed PLCHijacking, were found earlier this year and have been demonstrated during the months to follow in a new proof of concept by CRITIFENCE’s Critical Infrastructure and SCADA/ICS Cyber Threats Research Group.

The PLCHijacking vulnerabilities (CVE-2018-7798) affect a range of PLC models by one of the world’s largest manufacturer of SCADA and Industrial Control Systems, Schneider Electric. Programmable Logic Controller (PLC) allows operators and process engineers to maintain and control manufacture processes and field equipment, such as valves, pumps, engines, turbines, centrifuges and more.

The vulnerabilities has been officially published by Schneider Electric and ICS-CERT (ICSA-18-324-02). Schneider Electric already released an advisory for the PLCHijacking vulnerabilities (SEVD-2018-270-01). “PLCHijacking is new type of vulnerabilities which has never been seen before. The vulnerabilities allow an attacker to change the network configuration of the target PLC and to remotely disconnect the PLC devices from the SCADA network. This attack vector also prolongs the detection process of the cyber-attack by cyber security mechanisms, due to the time differentiation between the original penetration and the actual time of the attack”. says Eran Goldstein, CEO and Founder of CRITIFENCE.

Schneider Electric are among the most common SCADA vendors in North America, Europe and worldwide. The vendor’s products are used in nearly every modern automated factory or processing plant. The vulnerabilities affect all firmware versions of Schneider Electric’s PLC models of the Modicon M221 Series.

Doron Maman, CRITIFENCE’s VP R&D stated, ”The new vulnerabilities discovered are a result of hard work. The issue isn’t only the vulnerabilities itself, but rather understanding the advanced cyber-attack vector which aims to silently manipulate the proper production automation process. PLCHijacking and PLCDisconnect vulnerabilities will result in capabilities of a malicious attacker to alter the PLC’s network configuration or disconnect it so there will be a need to physically reach it in order to fix the issue”

For the past few months the joint effort of both Schneider Electric and CRITIFENCE led to the new discovery and was listed and certified by ICS-CERT as the vulnerabilities which were referred to by CRITIFENCE’s Critical Infrastructure and SCADA/ICS Cyber Threats Research Group (and an additional 0-day vulnerability):


  • ICS-CERT: Schneider Electric Modicon M221 (ICSA-18-324-02)
  • NIST: Network Configuration Bypass Vulnerability (CVE-2018-7798)
  • MITRE: Network Configuration Bypass Vulnerability (CVE-2018-7798)
  • Schneider Electric: Important Cyber Security Notification - Modicon M221 (SEVD-2018-270-01)


CVE-2018-7798 | Proof of Concept (PoC)




“One of the main issues one must take into consideration for such an attack is that the restoration process would take a long time. The costs of such a substantial disturbance may lead to a shut-down – resulting in affecting more than down-time, as it is the case with critical processes. Furthermore, since dealing with the OT network it’s much more complicated due to operational reasons, on many occasions up-to-date backups are unavailable, which would require complete reconfiguration of the manufacturing process. Lastly, let’s assume the backups went on-air as soon as possible, what would prevent the same attack to re-occur if the point of attack is in fact not initiated from the PLC but using it as a means to an end from another location in the network.”, said Alexey Baltacov, CRITIFENCE’s CTO.

“Due to the complexity of new cyber-attack vectors in SCADA systems and OT networks which relys on multiple threats, the detection of a single vulnerability or vector is not enough, which may require a real time correlation and advanced analysis between several cyber threats and vectors - With the effort of our Critical Infrastructure and SCADA/ICS Cyber Threats Research Group, we found such a case of a complex cyber-attack vector and the collaboration with both ICS-CERT and Schneider Electric we have proven (via a proof of concept ) the existence of the vulnerabilities and their capabilities” stated Maureen Pushinsky , CRITIFENCE’s CIO.

During 2017 – 2018, CRITIFENCE Critical Infrastructure and SCADA/ICS Cyber Threats Research Group has been worked closely with Schneider Electric and ICS-CERT. The collaboration resulted so far in the discovery of twelve zero-day vulnerabilities. Part of these vulnerabilities were already published by ICS-CERT and Schneider Electric:


Following to the disclosure, Schneider Electric has confirmed that the vulnerabilities and the findings as presented by CRITIFENCE. Schneider Electric published a security notification about the resolution to this flaw: “Schneider Electric would like to thank Eran Goldstein of CRITIFENCE Critical Infrastructure and SCADA/ICS Cyber Threats Research Group for discovery and responsible disclosure support".

CRITIFENCE is a leading Critical Infrastructure, SCADA and Industrial Control Systems cyber security company. The company develops and provides cyber security technology and its main solution SCADADome was designed to provide full visibility, vulnerability assessment and advanced threat prevention for Critical Infrastructure, SCADA and Industrial Control Systems, which allows to monitor, control and to perform analysis of OT networks cyber security, events and vulnerabilities effectively and passively.




For more information about CRITIFENCE® Cyber Security Solution for Critical Infrastructure,
SCADA and Industrial Control Systems and the SCADADome solution, download SCADADome Solution White Paper.