Most legacy industrial protocols (Modbus, DNP3, Profinet) were designed in the 1980s. They prioritize uptime over security. The MatSploit Key uses a proprietary fuzzing engine that scans for function code 0x90 (illegal or undefined operations). When a PLC receives a malformed packet containing the Key’s signature, it enters a "Safe State" that is actually unsafe—it releases control to the attacker.
Managing License Keys | Metasploit Documentation - Docs | © Rapid7 MatSploit Key
The MatSploit Key cannot defeat a physical deadman switch. If you suspect an active exploitation, cut the network connection to the RTU and switch to manual operation. The Key requires a network heartbeat to maintain its modified ladder logic. Without the network, the PLC defaults to the burned-in ROM, wiping the exploit. When a PLC receives a malformed packet containing