3S-Smart Software Solutions GmbH CODESYS V3 Products

Plan PatchCVSS 9.4ICS-CERT ICSA-18-352-04Dec 18, 2018

CODESYSWAGOBeckhoffManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Two vulnerabilities in CODESYS V3 products (CWE-923 and CWE-330) allow remote attackers to spoof the source of communication packets and exploit weak random number generation. These issues affect the confidentiality and integrity of data stored on controllers running CODESYS, including all CODESYS Control runtime variants (BeagleBone, emPC-A, IOT2000, Linux, PFC100/200, Raspberry Pi, RTE V3, Win V3), development tools, HMI, gateway, OPC server, and safety-certified versions. The vulnerabilities enable attackers without credentials to disguise malicious traffic or compromise cryptographic protections.

What this means

What could happen

An attacker with network access to a CODESYS device could forge packets to disguise their origin or exploit weak random number generation to compromise confidentiality and integrity of stored data, potentially allowing them to manipulate process logic or steal sensitive configuration information.

Who's at risk

Manufacturing facilities using CODESYS V3 runtime systems, particularly those deploying control logic on PLC platforms from WAGO (PFC series), Beckhoff (CX controllers), or Linux-based industrial computers. This includes organizations using CODESYS for process control, HMI, and remote supervision across automotive, chemical, food and beverage, and discrete manufacturing sectors.

How it could be exploited

An attacker on the same network as the CODESYS controller could send specially crafted packets that spoof their source address, making malicious commands appear to come from trusted devices. Alternatively, they could exploit the weak random number generation to predict or recover sensitive cryptographic keys or authentication tokens stored on the device.

Prerequisites

Network access to the CODESYS device on port 2455 or other controller communication ports
No authentication required to send forged packets or access weak random number generation

remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems (CODESYS V3 Safety SIL2)

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (20)

20 EOL

ProductAffected VersionsFix Status

CODESYS V3 products - CODESYS Control for BeagleBone,CODESYS Control for BeagleBoneNo fix (EOL)

CODESYS V3 products - CODESYS Control for emPC-A/iMX6,CODESYS Control for emPC-A/iMX6No fix (EOL)

CODESYS V3 products - CODESYS Control for IOT2000,CODESYS Control for IOT2000No fix (EOL)

CODESYS V3 products - CODESYS Control for Linux,CODESYS Control for LinuxNo fix (EOL)

CODESYS V3 products - CODESYS Control for PFC200,CODESYS Control for PFC200No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate CODESYS controllers behind firewalls and restrict network access to trusted engineering workstations only

WORKAROUNDIf remote access to CODESYS controllers is required, establish VPN tunnels and disable all other remote access methods

HARDENINGEnable user authentication and password protection on all CODESYS development systems and controllers

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXDownload and apply the latest CODESYS software update from https://www.codesys.com/download/

HARDENINGPhysically secure access to CODESYS development systems and control devices

CVEs (2)

CVE-2018-20026 CVE-2018-20025

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ee6a8dde-d1d5-4df6-8608-5c4bf5d3cd27

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.