3S-Smart Software Solutions GmbH CODESYS Web Server

Act Now9.8ICS-CERT ICSA-18-032-02Feb 1, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CODESYS Web Server versions 2.3 and prior to 1.1.9.19 contain a buffer overflow vulnerability (CWE-121) in the Web Server module that allows remote code execution without authentication. An attacker can send a specially crafted request to the Web Server and execute arbitrary commands on the device. The vulnerability is remotely exploitable with low skill level; no user interaction is required. Affected versions have no patches available.

What this means

What could happen

An attacker with network access to the CODESYS Web Server can run arbitrary code on the device without authentication, potentially gaining control of the PLC or controller and disrupting process operations, communications, or safety systems.

Who's at risk

This affects any organization using CODESYS-based PLCs, PACs, or embedded controllers with the Web Server module enabled—including water treatment systems, power distribution networks, manufacturing plants, and HVAC controls. The CODESYS platform is widely used in European and global automation environments.

How it could be exploited

An attacker on the network sends a crafted request to the CODESYS Web Server on its listening port. The Web Server processes the request and executes arbitrary code due to a buffer overflow vulnerability (CWE-121). No valid credentials or special interaction from an operator is required.

Prerequisites

Network access to the CODESYS Web Server port (typically port 80 or 8080, but confirm for your environment)
No authentication required

Remotely exploitableNo authentication requiredLow complexityNo patch available for v2.3High CVSS score (9.8)Affects control system availability and integrity

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

CODESYS Web Server:2.3No fix (EOL)

CODESYS Web Server: prior to V1.1.9.19< 1.1.9.19No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate CODESYS Web Server devices from the Internet and business network; place them behind a firewall and on a separate OT network segment

WORKAROUNDIf remote access to CODESYS devices is required, restrict access to trusted IP addresses via firewall rules and use a VPN with current security patches for secure tunneling

WORKAROUNDDisable the CODESYS Web Server service on all devices where it is not operationally necessary

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic for unexpected connections to CODESYS Web Server ports; implement intrusion detection rules if available

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: CODESYS Web Server:, CODESYS Web Server: prior to V1.1.9.19. Apply the following compensating controls:

HARDENINGPlan device replacement or retirement for CODESYS 2.3 installations, as no patch exists

CVEs (1)

CVE-2018-5440

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/513875fd-8a9f-4be2-aefa-06aab53e18fa