From Pass-the-Hash to Code Execution on Schneider Electric M340 PLCs

This conference talk explores vulnerabilities in Schneider Electric's Modicon PLCs within industrial control systems. Discover how researchers Amir Zaltzman and Avishai Wool reverse-engineered the cryptographic protocol to identify critical security flaws that allow attackers to impersonate engineering stations, cryptographically sign messages, and inject malicious communications. Learn about additional vulnerabilities in the PLC's memory management that enable remote code execution, installation of persistent rootkits, and even potential reprogramming of boot firmware over the network. Understand the security implications for industrial systems where these PLCs serve as intermediaries between engineering stations/SCADA HMI and the physical industrial control mechanisms.