CVE-2025-3112 is a high-severity vulnerability (CVSS 7.1) affecting Schneider Electric Modicon Controllers M241 and M251, specifically versions prior to 5.3.12.51. The vulnerability is classified under CWE-400, which relates to uncontrolled resource consumption. The issue arises when an authenticated malicious user sends a manipulated HTTPS Content-Length header to the embedded webserver running on these controllers. This malformed header can cause the webserver to consume excessive resources, leading to a Denial of Service (DoS) condition. The vulnerability does not require user interaction and can be exploited remotely over the network without additional privileges beyond authentication. The attack vector is network-based (AV:N), with low attack complexity (AC:L), and no user interaction (UI:N). The vulnerability impacts availability (VA:H) but does not affect confidentiality or integrity. The Modicon M241 and M251 controllers are programmable logic controllers (PLCs) widely used in industrial control systems (ICS) for automation in manufacturing, energy, and critical infrastructure sectors. The embedded webserver is typically used for device management and monitoring, making this vulnerability a potential risk for operational disruptions if exploited. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that remediation may still be pending or in development. The vulnerability was reserved in April 2025 and published in June 2025, reflecting recent discovery and disclosure.

For European organizations, this vulnerability poses a significant risk to industrial environments that rely on Schneider Electric Modicon M241 and M251 controllers. These devices are commonly deployed in manufacturing plants, energy distribution networks, water treatment facilities, and building automation systems across Europe. Exploitation could lead to denial of service of critical control devices, causing operational downtime, production losses, and potentially safety hazards if automated processes are disrupted. Given the controllers’ role in critical infrastructure, an attack could have cascading effects on supply chains and essential services. The requirement for authentication limits the attack surface to insiders or attackers who have obtained valid credentials, but this does not eliminate the risk, especially in environments with weak access controls or compromised credentials. The lack of impact on confidentiality and integrity reduces the risk of data breaches or manipulation but does not diminish the operational threat. European organizations with industrial automation deployments should prioritize assessing their exposure and readiness to respond to potential DoS attacks targeting these controllers.

1. Immediate mitigation should focus on restricting access to the Modicon controllers’ webserver interfaces by implementing network segmentation and firewall rules to limit access only to trusted management stations. 2. Enforce strong authentication mechanisms and credential management policies to prevent unauthorized access, including multi-factor authentication where possible. 3. Monitor network traffic for anomalous HTTPS requests, particularly those with irregular Content-Length headers, to detect potential exploitation attempts. 4. Apply any available firmware updates or patches from Schneider Electric as soon as they are released to address this vulnerability. 5. If patches are not yet available, consider disabling the webserver interface if it is not essential for operations or using alternative management methods. 6. Conduct regular security audits and penetration testing focused on industrial control systems to identify and remediate similar vulnerabilities proactively. 7. Establish incident response plans specifically for ICS environments to quickly isolate and recover from DoS conditions affecting controllers.