CVE-2021-22786
high-risk
Published 2023-02-01
A CWE-200: Information Exposure vulnerability exists that could cause the exposure of sensitive information stored on the memory of the controller when communicating over the Modbus TCP protocol. Affected Products: Modicon M340 CPU (part numbers BMXP34*) (Versions prior to V3.30), Modicon M580 CPU (part numbers BMEP* and BMEH*) (Versions prior to SV3.20), Modicon MC80 (BMKC80) (Versions prior to V1.6), Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (All Versions), Modicon Momentum MDI (171CBU*) (Versions prior to V2.3), Legacy Modicon Quantum (All Versions)
Do I need to act?
-
0.32% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Modicon M340 Bmxp342010 Firmware
Modicon M340 Bmxp342020H Firmware
Modicon M340 Bmxp342030 Firmware
Modicon M340 Bmxp3420302H Firmware
Modicon M340 Bmxp342030H Firmware
Modicon M580 Bmeh582040 Firmware
Modicon M580 Bmeh582040C Firmware
Modicon M580 Bmeh582040S Firmware
Modicon M580 Bmeh584040 Firmware
Modicon M580 Bmeh584040C Firmware
Modicon M580 Bmeh584040S Firmware
Modicon M580 Bmeh586040 Firmware
Modicon M580 Bmeh586040C Firmware
Modicon M580 Bmeh586040S Firmware
Modicon M580 Bmep581020 Firmware
Affected Vendors
51
/ 100
high-risk
Severity
26/34 · High
Exploitability
1/34 · Minimal
Exposure
24/34 · High