CVE-2024-8937

Name of the Vulnerable Software and Affected Versions: Schneider Electric Modicon M340 CPU BMXP34 versions (affected versions not specified) Schneider Electric Modicon MC80 BMKC80 versions (affected versions not specified) Schneider Electric Modicon Momentum Unity M1E Processor 171CBU versions (affected versions not specified)

Description: The issue is related to an improper restriction of operations within the bounds of a memory buffer, which could lead to arbitrary code execution after a successful Man-In-The-Middle attack. This attack involves sending a crafted Modbus function call to tamper with the memory area involved in the authentication process.

Recommendations: For Schneider Electric Modicon M340 CPU BMXP34, consider disabling the Modbus function call until a patch is available. For Schneider Electric Modicon MC80 BMKC80, restrict access to the memory area involved in the authentication process to minimize the risk of exploitation. For Schneider Electric Modicon Momentum Unity M1E Processor 171CBU, avoid using the crafted Modbus function call in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.