Talos Vulnerability Report


Schneider Electric Modicon M580 TFTP server information disclosure vulnerability

October 8, 2019
CVE Number



An exploitable information disclosure vulnerability exists in the TFTP server functionality of the Schneider Electric Modicon M580 Programmable Automation Controller. A specially crafted TFTP get request can cause a file download, resulting in disclosure of sensitive information. An attacker can send unauthenticated commands to trigger this vulnerability.

Tested Versions

Schneider Electric Modicon M580 BMEP582040 SV2.80

Product URLs


CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N


CWE-538: File and Directory Information Exposure


The Modicon M580 is the latest in Schneider Electric’s Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.

It’s possible to obtain various sensitive information from the device by requesting specific files from the Modicon M580’s TFTP server. The following files have been confirmed to successfully download from the tested device.

  • /usr/conf/ccsConfig.dat
  • /usr/diag/crash.bin
  • /usr/diag/crash.txt
  • /usr/diag/dwarfview.bin
  • /usr/diag/ecc_cpt.dat
  • /ram/moduli

Additionally, the file /usr/webpage.img can be downloaded using the same technique. This file is of note as it contains the unencrypted web server firmware and directory tree.

Exploit Proof of Concept

echo -e "connect\nget /usr/webpage.img\nquit\n" | tftp


2019-07-22 - Vendor Disclosure
2019-10-08 - Public Release


Discovered by Jared Rittle of Cisco Talos