CVE-2019-6820 in Modicon M100
Summary
by MITRE
A CWE-306: Missing Authentication for Critical Function vulnerability exists which could cause a modification of device IP configuration (IP address, network mask and gateway IP address) when a specific Ethernet frame is received in all versions of: Modicon M100, Modicon M200, Modicon M221, ATV IMC drive controller, Modicon M241, Modicon M251, Modicon M258, Modicon LMC058, Modicon LMC078, PacDrive Eco ,PacDrive Pro, PacDrive Pro2
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/29/2026
The vulnerability identified as CVE-2019-6820 represents a critical authentication flaw classified under CWE-306, which specifically addresses missing authentication for critical functions within industrial control systems. This weakness affects a comprehensive suite of Modicon and PacDrive products including various M-series controllers and drive controllers, creating a significant security risk for industrial environments that rely on these devices for operational continuity and safety. The vulnerability manifests through the processing of specific Ethernet frames that can trigger unauthorized modifications to fundamental network configuration parameters.
The technical implementation of this vulnerability allows an attacker to manipulate device network settings without proper authentication mechanisms. When targeted Ethernet frames are received by affected devices, they can alter critical IP configuration parameters including IP addresses, subnet masks, and gateway addresses. This occurs because the affected systems lack proper authentication checks for network configuration modification functions, which violates fundamental security principles for industrial control systems. The flaw exists across multiple device families, suggesting a systemic design issue rather than an isolated incident, and affects all versions of the specified hardware platforms.
Operationally, this vulnerability creates substantial risks for industrial environments where network configuration integrity is crucial for system operation and security. Unauthorized modification of IP addresses and network parameters can lead to complete network isolation of affected devices, disruption of industrial processes, or potential access to adjacent network segments. The impact extends beyond simple network disruption as it could enable attackers to redirect device communications, perform man-in-the-middle attacks, or gain access to other networked systems within the industrial infrastructure. This vulnerability particularly threatens environments where these devices operate in closed-loop control systems where network stability directly impacts operational safety and production continuity.
Mitigation strategies for CVE-2019-6820 should focus on implementing network segmentation and access control measures to prevent unauthorized network traffic from reaching affected devices. Organizations should deploy network monitoring solutions to detect anomalous Ethernet frame patterns and establish strict network access controls using firewalls and network access control lists. The affected manufacturers have released firmware updates addressing this vulnerability, and organizations should prioritize applying these patches through controlled update procedures. Additionally, implementing network intrusion detection systems and conducting regular network audits can help identify unauthorized configuration changes. From an ATT&CK framework perspective, this vulnerability maps to techniques involving credential access and defense evasion, as it allows unauthorized modification of system parameters without detection. Network administrators should also consider implementing zero-trust network architectures where all network communications are verified regardless of source location, particularly for critical industrial control systems.