3S-Smart Software Solutions GmbH CODESYS V3 (Update A)
Plan Patch8.8ICS-CERT ICSA-19-213-04Aug 1, 2019
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
CODESYS V3 runtime systems and development tools contain a vulnerability in the CmpUserMgr (user management) component that allows attackers on the local network to intercept and steal user credentials transmitted during PLC communication and management operations. The vulnerability affects all versions of CODESYS Control runtime systems (for PFC200, Win V3, RTE V3, Linux, Raspberry Pi, BeagleBone, IOT2000, and other platforms) as well as the CODESYS Development System, Simulation Runtime, and HMI V3 components. Successful exploitation requires network-level access but could enable unauthorized access to modify control logic, configurations, or safety settings.
What this means
What could happen
An attacker with access to network traffic between engineering workstations and PLCs running CODESYS could intercept and steal user credentials, potentially gaining unauthorized access to modify control logic or configurations.
Who's at risk
Manufacturing facilities and transportation systems using CODESYS-based PLCs and controllers from WAGO, Beckhoff, and other vendors rely on these platforms for process automation, safety interlocks, and equipment control. Anyone managing, configuring, or monitoring CODESYS-based systems should be concerned—this affects engineering workstations, runtime systems on production hardware (PLC controllers), and development environments.
How it could be exploited
An attacker positioned on the same network segment as CODESYS devices (LAN access) could passively intercept PLC traffic to capture unencrypted or weakly protected user credentials transmitted during authentication or management operations. This requires network sniffing capability but no interaction with the device itself.
Prerequisites
- Network access to the local network segment where CODESYS devices communicate
- Ability to sniff/capture network traffic (attacker on the same LAN or compromised network infrastructure)
- CODESYS devices actively communicating with engineering workstations or other management tools
No patch available from vendorAffects all CODESYS product versionsRequires local network access (not remotely exploitable over Internet)Credential theft could lead to unauthorized process modificationsImpacts both development systems and production control hardware
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (13)
13 with fix
ProductAffected VersionsFix Status
CODESYS Control Win V3 (also part of the CODESYS Development System setup) containing the CmpUserMgr component: all versionsAll versions3.5.16.0
CODESYS Control RTE V3 containing the CmpUserMgr component: all versionsAll versions3.5.16.0
CODESYS Control for PFC200 containing the CmpUserMgr component: all versionsAll versions3.5.16.0
CODESYS Control RTE V3 (for Beckhoff CX) containing the CmpUserMgr component: all versionsAll versions3.5.16.0
CODESYS V3 Simulation Runtime (part of the CODESYS Development System) containing the CmpUserMgr component: all versionsAll versions3.5.16.0
CODESYS Control for Linux containing the CmpUserMgr component: all versionsAll versions3.5.16.0
CODESYS Control V3 Runtime System Toolkit containing the CmpUserMgr component: all versionsAll versions3.5.16.0
CODESYS Control for IOT2000 containing the CmpUserMgr component: all versionsAll versions3.5.16.0
Remediation & Mitigation
0/5
Do now
0/2HARDENINGEnsure control system networks are not directly accessible from the Internet and use firewalls to block inbound access
WORKAROUNDIf remote access to engineering workstations is required, enforce use of encrypted VPN connections to management interfaces
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate CODESYS V3 runtime components to Version 3.5.16.0 or later when vendor releases the patch
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate CODESYS control devices on a separate VLAN from the general business network
HARDENINGDeploy packet capture monitoring and firewall rules to restrict traffic between engineering workstations and PLCs to only necessary management ports
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6c7e6fc9-f9f6-4b68-ac16-a75920c854d1