Denial-of-Service Vulnerability (CVE-2025-13901) in Schneider Electric Modicon M241/M251/M262 PLCs Threatens Critical Infrastructure
What It Is – A CWE‑404 “Improper Resource Shutdown or Release” flaw in Schneider Electric’s Modicon M241, M251 and M262 programmable logic controllers (PLCs) allows an unauthenticated attacker to flood the Machine Expert protocol with malicious payloads, forcing a partial denial‑of‑service (DoS).
Exploitability – The vulnerability is publicly disclosed (CVE‑2025‑13901) and a proof‑of‑concept exists. No active exploit reports in the wild yet, but the attack requires only network access to the PLC’s control interface. CVSS v3.1 base score 5.3 (Moderate).
Affected Products – Schneider Electric Modicon M241 (versions < 5.4.13.12), Modicon M251 (versions < 5.4.13.12) and Modicon M262 (versions < 5.4.10.12).
TPRM Impact – These PLCs are deployed in commercial facilities, critical manufacturing lines, and energy generation/distribution sites worldwide. A successful DoS could halt production, disrupt power delivery, and force customers to seek alternate suppliers, creating a supply‑chain ripple effect.
Recommended Actions –
- Inventory all Schneider Electric Modicon M241/M251/M262 devices and verify firmware versions.
- Apply Schneider Electric’s security patches (≥ 5.4.13.12 for M241/M251, ≥ 5.4.10.12 for M262) immediately.
- Segregate PLC networks from corporate IT and enforce strict firewall rules to limit unauthenticated access.
- Enable intrusion‑detection monitoring for abnormal Machine Expert traffic.
- Update third‑party risk registers to reflect the new DoS exposure and reassess vendor risk scores.
Source: CISA Advisory – ICSA‑26‑078‑01