Schneider Modicon CVE-2026-3041: Why EU Substations Should Patch in Fourteen Days

Schneider Electric published an emergency advisory on 22 April for CVE-2026-3041, a pre-authentication remote code execution flaw in Modicon M340 and M580 firmware ¹. The vulnerability score is 9.8 on CVSS v3.1 and the working exploit code surfaced in a private intel feed within seventy-two hours ². For European electrical substation operators and water treatment facilities running this PLC family, the right patch window is fourteen days, not the ninety-day cycle that NIS2 minimum-measures language permits.

What happened

The flaw exists in the Modbus/TCP server module compiled into firmware versions 3.40 through 4.18 ¹. An unauthenticated attacker reaching the Modbus port 502 can submit a malformed function code 90 request that triggers heap corruption in the firmware's request parser. The exploit then redirects execution to attacker-controlled memory and runs arbitrary code with the same privileges as the firmware itself, which on these PLC models is functionally root.

Schneider's advisory credits Claroty Team82 with coordinated disclosure on 12 February. The vendor delayed publication by ten weeks to coordinate patches across thirteen affected SKUs. The first proof-of-concept exploit appeared on the Russian-language XSS forum on 25 April, three days after public advisory release ².

Technical detail

The Modbus function code 90 is reserved for vendor-specific extensions and is rarely seen in production traffic. Schneider implemented several diagnostic commands under this code, which is where the bounds-check failure lives. Specifically, when the firmware processes a function 90 request with sub-code 0x13, it reads a length byte from the request payload and copies that many bytes into a 256-byte stack buffer without validating the length ³.

Detection from network monitoring is straightforward: any function code 90 sub-code 0x13 traffic against an M340 or M580 from outside the engineering workstation segment is exploit attempt or post-exploit reconnaissance. Vendor-specific function codes carry low legitimate traffic volume, which makes the signal cleaner than detection rules for standard Modbus commands.

EU context

NIS2 Article 21(2)(e) requires risk-proportional vulnerability handling but does not prescribe a specific patch window. The EU Cyber Resilience Act takes effect for ICS components in late 2026, which will set a 72-hour disclosure obligation on the vendor side once the manufacturer becomes aware of an actively exploited vulnerability. The Modicon M340 and M580 families remain widely deployed in EU electrical substations, water treatment facilities, and rail signaling systems ⁴.

For operators classified as essential under NIS2 (transmission system operators, water utilities serving over 100,000 population), the supervisory authority can require justification for any patch window longer than the vendor-recommended urgency. Schneider classifies this advisory as critical, which carries an implicit fourteen-day expectation.

Sectoral implication

Three operational steps in priority order:

• Within seven days: deploy the network detection rule for function code 90 sub-code 0x13 against the M340 and M580 IP ranges. The signature is low-noise and runs on any DPI-capable sensor; vendor SIGMA rules are publicly available in the Sigma HQ repository.
• Within fourteen days: complete firmware updates on internet-reachable units first, then progressively across the segment. The patch requires a maintenance window because the firmware update reboots the PLC; coordinate with operations engineering on the bypass plan.
• Within thirty days: review contractor access pathways. The pre-authentication character of the flaw means an attacker with network reachability does not need credentials. Verify that contractor VPN access does not transit through any segment containing an unpatched M340 or M580.

Schneider has not yet published a compensating control workaround. Pending firmware update, the only effective mitigation is to block Modbus port 502 traffic from anything outside the engineering workstation segment, which is the configuration most utilities should have anyway.