CVE-2020-7534 in Modicon M340
Summary
by MITRE • 02/05/2022
A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists on the web server used, that could cause a leak of sensitive data or unauthorized actions on the web server during the time the user is logged in. Affected Products: Modicon M340 CPUs: BMXP34 (All Versions), Modicon Quantum CPUs with integrated Ethernet (Copro): 140CPU65 (All Versions), Modicon Premium CPUs with integrated Ethernet (Copro): TSXP57 (All Versions), Modicon M340 ethernet modules: (BMXNOC0401, BMXNOE01, BMXNOR0200H) (All Versions), Modicon Quantum and Premium factory cast communication modules: (140NOE77111, 140NOC78*00, TSXETY5103, TSXETY4103) (All Versions)
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/29/2026
Cross-site request forgery represents a critical web application vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users within a web server environment. This specific vulnerability affects industrial control systems manufactured by Schneider Electric, particularly targeting their Modicon M340, Quantum, and Premium series CPUs along with associated communication modules. The flaw exists in the web server implementation of these devices, creating a pathway for malicious actors to exploit the trust relationship between the user's browser and the vulnerable web application.
The technical mechanism behind this CSRF vulnerability involves the absence of proper anti-CSRF protection measures within the web interface of these industrial controllers. When users authenticate to the web-based management interfaces of these devices, their sessions remain active and trusted by the server. An attacker can craft malicious requests that, when executed through a victim's browser, will be processed by the web server with the victim's authenticated privileges. This occurs because the vulnerable web application fails to validate the origin of requests or implement anti-CSRF tokens that would normally prevent such cross-origin operations from succeeding.
The operational impact of this vulnerability extends beyond simple data leakage into potentially catastrophic system compromise scenarios. Given that these devices control industrial processes and manufacturing environments, unauthorized actions could result in production disruptions, safety hazards, or even physical damage to equipment. The vulnerability particularly affects systems where these controllers are connected to networks with untrusted users or where the web interfaces are accessible from external networks without proper network segmentation. During the time a user remains logged into any of these vulnerable products, an attacker could execute commands that modify system configurations, access sensitive operational data, or potentially disrupt industrial processes.
The affected product line includes multiple generations of Modicon controllers ranging from BMXP34 CPUs in the M340 series to TSXP57 CPUs in the Premium series, along with various communication modules such as BMXNOC0401, BMXNOE01, and 140NOE77111. These devices operate within industrial environments where security is paramount, making this vulnerability particularly concerning for critical infrastructure sectors. The widespread nature of these affected versions suggests that organizations operating multiple installations across different facilities may be simultaneously exposed to this risk.
Organizations should implement immediate mitigations including network segmentation to restrict access to these web interfaces, ensuring they are only accessible from trusted internal networks. All affected devices should be updated with vendor-provided security patches that implement proper CSRF protection mechanisms such as anti-CSRF tokens and origin validation checks. Regular security assessments of industrial control system web interfaces should be conducted to identify similar vulnerabilities, and access controls should be strictly enforced through authentication mechanisms and role-based permissions. The vulnerability aligns with CWE-352's classification as a fundamental web application security flaw that requires proper implementation of request origin verification and token-based protection measures to prevent unauthorized operations within authenticated sessions.
The risk assessment for these industrial control systems should consider both the technical exposure and potential business impact, particularly in environments where operational technology networks are not properly isolated from corporate IT networks. This vulnerability demonstrates the importance of applying security best practices to industrial web interfaces, as the consequences of exploitation extend far beyond traditional data breach scenarios into potentially dangerous operational disruptions that could affect public safety and industrial production capabilities.