3S-Smart Software Solutions GmbH CODESYS V3 Products
Act Now9.4ICS-CERT ICSA-18-352-04Dec 18, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Two vulnerabilities in CODESYS V3 products (CWE-923 and CWE-330) allow remote attackers to spoof the source of communication packets and exploit weak random number generation. These issues affect the confidentiality and integrity of data stored on controllers running CODESYS, including all CODESYS Control runtime variants (BeagleBone, emPC-A, IOT2000, Linux, PFC100/200, Raspberry Pi, RTE V3, Win V3), development tools, HMI, gateway, OPC server, and safety-certified versions. The vulnerabilities enable attackers without credentials to disguise malicious traffic or compromise cryptographic protections.
What this means
What could happen
An attacker with network access to a CODESYS device could forge packets to disguise their origin or exploit weak random number generation to compromise confidentiality and integrity of stored data, potentially allowing them to manipulate process logic or steal sensitive configuration information.
Who's at risk
Manufacturing facilities using CODESYS V3 runtime systems, particularly those deploying control logic on PLC platforms from WAGO (PFC series), Beckhoff (CX controllers), or Linux-based industrial computers. This includes organizations using CODESYS for process control, HMI, and remote supervision across automotive, chemical, food and beverage, and discrete manufacturing sectors.
How it could be exploited
An attacker on the same network as the CODESYS controller could send specially crafted packets that spoof their source address, making malicious commands appear to come from trusted devices. Alternatively, they could exploit the weak random number generation to predict or recover sensitive cryptographic keys or authentication tokens stored on the device.
Prerequisites
- Network access to the CODESYS device on port 2455 or other controller communication ports
- No authentication required to send forged packets or access weak random number generation
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems (CODESYS V3 Safety SIL2)
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (20)
20 EOL
ProductAffected VersionsFix Status
CODESYS V3 products - CODESYS Control for BeagleBone,CODESYS Control for BeagleBoneNo fix (EOL)
CODESYS V3 products - CODESYS Control for emPC-A/iMX6,CODESYS Control for emPC-A/iMX6No fix (EOL)
CODESYS V3 products - CODESYS Control for IOT2000,CODESYS Control for IOT2000No fix (EOL)
CODESYS V3 products - CODESYS Control for Linux,CODESYS Control for LinuxNo fix (EOL)
CODESYS V3 products - CODESYS Control for PFC200,CODESYS Control for PFC200No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGIsolate CODESYS controllers behind firewalls and restrict network access to trusted engineering workstations only
WORKAROUNDIf remote access to CODESYS controllers is required, establish VPN tunnels and disable all other remote access methods
HARDENINGEnable user authentication and password protection on all CODESYS development systems and controllers
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXDownload and apply the latest CODESYS software update from https://www.codesys.com/download/
HARDENINGPhysically secure access to CODESYS development systems and control devices
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ee6a8dde-d1d5-4df6-8608-5c4bf5d3cd27