Information disclosure in Schneider Electric Modicon M340 and BMXNOE0100/0110, BMXNOR0200H

Published: 2025-02-07

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2024-12142
CWE-ID	CWE-200
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Modicon M340 Hardware solutions / Firmware BMXNOE0100 Hardware solutions / Firmware BMXNOE0110 Hardware solutions / Firmware BMXNOR0200H Hardware solutions / Firmware
Vendor	Schneider Electric

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU103694

Risk: High

CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-12142

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system, leading to modification of web page and denial of service (DoS) condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Modicon M340: All versions

BMXNOE0100: All versions

BMXNOE0110: All versions

BMXNOR0200H: before SV1.70IR26

CPE2.3

External links

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-05.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-25-035-06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.