3S-Smart Software Solutions GmbH CODESYS Web Server

Act Now9.8ICS-CERT ICSA-17-087-02Mar 28, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CODESYS Web Server versions 2.3 and earlier contain file upload vulnerabilities (CWE-434, CWE-121) that allow remote attackers to upload and execute arbitrary code without authentication. The vulnerabilities exist in the Web Server's file handling mechanisms, which lack proper input validation and access controls on uploaded files. This affects all CODESYS-based programmable logic controllers and industrial PCs that have the Web Server enabled.

What this means

What could happen

An attacker on the network could upload and execute arbitrary code on a CODESYS device, allowing them to alter control logic or halt operations without authentication.

Who's at risk

Any organization using CODESYS Web Server for remote engineering access or monitoring in PLCs, soft-logic controllers, or IPC devices. This includes manufacturers of packaging machinery, automotive assembly systems, water treatment plants, and power generation facilities that rely on CODESYS for programming and diagnostics.

How it could be exploited

An attacker sends a specially crafted file upload request to the CODESYS Web Server on port 8080 (or configured port). The server lacks proper input validation and upload restrictions, allowing the attacker to upload a malicious file and execute arbitrary code on the device.

Prerequisites

Network access to CODESYS Web Server port (default 8080)
No authentication required
CODESYS Web Server version 2.3 or earlier

Remotely exploitableNo authentication requiredLow complexity to exploitCritical CVSS (9.8)No patch available (end-of-life product)File upload vulnerability allows code execution

Exploitability

Moderate exploit probability (EPSS 1.9%)

Affected products (1)

ProductAffected VersionsFix Status

CODESYS Web Server:≤ 2.3No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to CODESYS Web Server to authorized engineering workstations only using firewall rules or network segmentation

WORKAROUNDDisable the CODESYS Web Server if it is not actively used for remote monitoring or engineering

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CODESYS Web Server to a version later than 2.3 if available from your device manufacturer

Mitigations - no patch available

0/2

CODESYS Web Server: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement host-based firewalling on CODESYS devices to restrict inbound connections to trusted sources

HARDENINGMonitor CODESYS Web Server logs and network traffic for suspicious file upload attempts

CVEs (2)

CVE-2017-6027 CVE-2017-6025

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/241be1c3-f6bf-40bf-90b9-3a3598f9ab7f