CVE-2020-7562: A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and M...
A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause a segmentation fault or a buffer overflow when uploading a specially crafted file on the controller over FTP.
Security readout for executives and security teams
Plain-English summary
This vulnerability affects Schneider Electric Modicon controller web server functionality. An authenticated FTP upload of a specially crafted file could crash the controller component or corrupt memory, creating operational availability risk in industrial environments.
Executive priority
Treat as a moderate OT availability issue. Prioritize sites where affected controllers support critical production processes or where FTP is reachable beyond tightly controlled engineering networks.
Technical view
CVE-2020-7562 is a CWE-125 out-of-bounds read in the Web Server on Modicon M340, Modicon Quantum, Modicon Premium Legacy offers, and related communication modules. The reported trigger is a crafted file uploaded over FTP, with potential segmentation fault or buffer overflow. CVSS 3.1 score is 6.3.
Likely exposure
Exposure is most likely in OT environments running the listed Modicon controllers or communication modules where FTP access is enabled and reachable by authenticated users.
Exploitation context
The source bundle does not show CISA KEV listing or other evidence of active exploitation. The CVSS vector indicates network access, low privileges, and user interaction, with high availability impact.
Researcher notes
Evidence is limited to the CVE source bundle and Schneider advisory reference. Exact affected versions, fixed versions, and vendor mitigations are not included in the bundle, so confirm details directly from SEVD-2020-315-01 before closure.
Mitigation direction
Review Schneider Electric advisory SEVD-2020-315-01 for affected versions and vendor fixes.
Inventory Modicon M340, Quantum, Premium Legacy, and related communication modules.
Restrict FTP access to trusted engineering hosts and OT management networks.
Remove unnecessary network exposure to controller web and FTP services.
Prioritize vendor-supported firmware or configuration guidance where applicable.
Validation and detection
Identify whether listed Modicon controller families or communication modules are deployed.
Confirm whether FTP is enabled and reachable from non-engineering networks.
Check firmware and module details against Schneider Electric advisory SEVD-2020-315-01.
Review OT firewall rules for controller FTP and web server access paths.
Look for unexpected controller crashes around authenticated FTP file upload activity.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-125: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
n/aWeb Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details)Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details)Listed
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-125 · source CWE mapping
Out-of-bounds Read
Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.