Cyber Resilience

CVE-2021-22789

MediumUpdated

Published: 02 September 2021

Published
02 September 2021
Modified
29 May 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0044 63.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22789 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Schneider-Electric Modicon M340 Bmxp341000. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 36.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability that could cause a Denial of Service on the Modicon PLC controller / simulator when updating the controller application with a specially crafted project file exists…

more

in Modicon M580 CPU (part numbers BMEP* and BMEH*, all versions), Modicon M340 CPU (part numbers BMXP34*, all versions), Modicon MC80 (part numbers BMKC80*, all versions), Modicon Momentum Ethernet CPU (part numbers 171CBU*, all versions), PLC Simulator for EcoStruxureª Control Expert, including all Unity Pro versions (former name of EcoStruxureª Control Expert, all versions), PLC Simulator for EcoStruxureª Process Expert including all HDCS versions (former name of EcoStruxureª Process Expert, all versions), Modicon Quantum CPU (part numbers 140CPU*, all versions), Modicon Premium CPU (part numbers TSXP5*, all versions).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

schneider-electric
modicon m340 bmxp341000
all versions
schneider-electric
modicon m340 bmxp342010
all versions
schneider-electric
modicon m340 bmxp342020
all versions
schneider-electric
modicon m340 bmxp342030
all versions
schneider-electric
modicon m580 bmeh582040
all versions
schneider-electric
modicon m580 bmeh582040c
all versions
schneider-electric
modicon m580 bmeh582040s
all versions
schneider-electric
modicon m580 bmeh584040
all versions
schneider-electric
modicon m580 bmeh584040c
all versions
schneider-electric
modicon m580 bmeh584040s
all versions
+39 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-119

Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.

addresses: CWE-119

Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.

addresses: CWE-119

Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.

addresses: CWE-119

Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.

References