CVE-2017-6026

CRITICAL

Schneider Electric Modicon PLCs <4.0.5.11 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-6026. PoCs published by Photubias.

AI-analyzed exploit summary This exploit calculates the static session cookie of Schneider Electric PLCs by parsing the firmware log file, which contains the epoch time at PLC startup. It then uses this cookie to authenticate as 'Administrator' or 'USER' and retrieve device information, demonstrating an authentication bypass vulnerability.

Description

A Use of Insufficiently Random Values issue was discovered in Schneider Electric Modicon PLCs Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The session numbers generated by the web application are lacking randomization and are shared between several users. This may allow a current session to be compromised.

Exploits (1)

exploitdb WORKING POC

by Photubias · pythonwebappshardware

https://www.exploit-db.com/exploits/45918

View Code ZIP pw:eip

This exploit calculates the static session cookie of Schneider Electric PLCs by parsing the firmware log file, which contains the epoch time at PLC startup. It then uses this cookie to authenticate as 'Administrator' or 'USER' and retrieve device information, demonstrating an authentication bypass vulnerability.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Schneider Electric PLC (TM241CE40R) with Firmware 4.0.2.11 & Boot 0.0.2.11

No auth needed

Prerequisites: Network access to the target PLC · Firmware log file accessible at /usr/Syslog/FwLog.txt · Default credentials ('Administrator:admin' or 'USER:USER') must have been used at least once since the last reboot

MITRE ATT&CK

T1110 - Brute Force T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/97254

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45918/

Scores

CVSS v3 9.1

EPSS 0.3182

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-330

Status published

Products (3)

n/a/Schneider Electric Modicon PLCs Schneider Electric Modicon PLCs

schneider-electric/modicon_m241_firmware < 4.0.3.20

schneider-electric/modicon_m251_firmware < 4.0.3.20

Published Jun 30, 2017

Tracked Since Feb 18, 2026