CVE-2025-13901: Modicon M241, M251, M262 DoS Vulnerability Patch

Schneider Electric Modicon M241, M251, and M262 programmable logic controllers (PLCs), widely deployed across critical infrastructure sectors globally, are vulnerable to a Denial of Service (DoS) condition due to an Improper Resource Shutdown or Release flaw. This vulnerability, identified as CVE-2025-13901, could allow an unauthenticated attacker to disrupt operational technology (OT) environments, as detailed in an advisory from CISA. While there is no known public exploitation of this vulnerability reported to CISA at this time, the potential for disruption necessitates immediate attention from security professionals managing Industrial Control Systems (ICS).

Understanding CVE-2025-13901: DoS in Modicon Controllers

CVE-2025-13901 is categorized as a CWE-404 Improper Resource Shutdown or Release vulnerability. This flaw exists within the Machine Expert protocol used by the affected Modicon controllers. An attacker can exploit this by sending a specially crafted malicious payload. This payload is designed to occupy active communication channels on the device, preventing legitimate communications and leading to a partial DoS condition. This means that while the controller itself may not crash, its ability to process or respond to critical commands and data could be severely hampered, directly impacting the operations it controls.

The Common Vulnerability Scoring System (CVSS) v3.1 rates this vulnerability with a base score of 5.3, classifying its severity as MEDIUM. This score reflects that an attack does not require authentication and can be executed over the network (Attack Vector: Network), but its impact is limited to availability (confidentiality and integrity are not affected), and the system’s ability to recover may involve manual intervention.

Affected Schneider Electric Modicon M241, M251, and M262 Versions

The following versions of Schneider Electric Modicon controllers are vulnerable:

• Modicon M241: All versions prior to 5.4.13.12 (Modicon_Controller_M241)
• Modicon M251: All versions prior to 5.4.13.12 (Modicon_Controller_M251)
• Modicon M262: All versions prior to 5.4.10.12 (Modicon_Controller_M262)

These controllers are integral to operations in various critical infrastructure sectors, including Commercial Facilities, Critical Manufacturing, and Energy, with deployments spanning worldwide. The nature of these environments means that even a partial DoS can have significant consequences, ranging from production halts to safety concerns.

Actionable Recommendations and Mitigation Steps for CVE-2025-13901

Defenders must prioritize immediate action to secure their ICS environments against this vulnerability. The primary recommendation from Schneider Electric and CISA is to apply the latest firmware updates.

Patch Guidance for Schneider Electric Modicon M241, M251, and M262 Controllers

To address CVE-2025-13901, users should update their controllers to the specified firmware versions delivered with EcoStruxure™ Machine Expert v2.5.0.1 (or v2.5 for M262). The updates can be installed via the Schneider Electric Software Installer.

• Modicon M241: Update to Firmware version 5.4.13.12, delivered with EcoStruxure™ Machine Expert v2.5.0.1.
• Modicon M251: Update to Firmware version 5.4.13.12, delivered with EcoStruxure™ Machine Expert v2.5.0.1.
• Modicon M262: Update to Firmware version 5.4.10.12, delivered with EcoStruxure™ Machine Expert v2.5.

After installing the appropriate EcoStruxure™ Machine Expert version on the engineering workstation, proceed with updating the controller firmware and performing a reboot. Detailed instructions are available in the respective Modicon Controller Programming Guides.

General Mitigations and How to Prevent Denial-of-Service in Modicon Controllers

For organizations that cannot immediately apply firmware updates or as an additional layer of defense, several mitigations can reduce the risk of exploitation and help prevent denial-of-service in Modicon controllers:

• Network Segmentation: Minimize network exposure for all control system devices. Ensure ICS networks are physically and logically isolated from corporate and untrusted networks, including the public internet.
• Firewall Rules: Implement robust firewall rules to filter ports and IP addresses, restricting communication to only necessary and authorized sources.
• Secure Remote Access: If remote access is essential, use secure methods such as Virtual Private Networks (VPNs). Ensure VPNs are kept up-to-date and are only as secure as the endpoints connected to them.
• Hardening Guidelines: Refer to the “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment” provided by Schneider Electric for product-specific hardening recommendations. This document outlines best practices for securing these devices in operational environments.
• Proactive Monitoring: Implement monitoring solutions to detect unusual network traffic patterns or attempts to communicate with ICS devices from unauthorized sources.

Organizations should conduct a thorough impact analysis and risk assessment before deploying any defensive measures to ensure operational continuity. Reporting suspected malicious activity to CISA or relevant authorities is also encouraged for broader threat intelligence sharing and correlation. Implementing these mitigation steps for CVE-2025-13901 is crucial for maintaining the resilience and security of critical industrial operations.