CVE-2025-7852: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2018-7852 is an uncaught exception vulnerability affecting Schneider Electric Modicon controllers. The vulnerability was discovered in April 2025 and affects multiple Modicon controller models including Premium, M580, M340, and Quantum series. When exploited, this vulnerability could cause a denial-of-service condition when an invalid private command parameter is sent to the controller over Modbus (CISA).

The vulnerability has been assigned a CVSS v3 base score of 7.5 (High) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Additionally, it has received a CVSS v4 score of 8.7 with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-248 (Uncaught Exception) and can be triggered remotely with low attack complexity (CISA).

Successful exploitation of this vulnerability could result in a denial-of-service condition when an invalid private command parameter is sent to the controller over Modbus. This could potentially lead to a loss of availability of the affected controller, impacting industrial control systems operations (CISA).

Schneider Electric has released fixes for various affected products. For Modicon Premium controllers, the fix is available in version 3.60. Users are advised to upgrade to the latest firmware versions that contain the security fixes. Detailed update steps can be found in Schneider Electric's security advisory SEVD-2019-134-11 (CISA).