3S-Smart Software Solutions GmbH CODESYS V3 (Update A)

Plan PatchCVSS 8.8ICS-CERT ICSA-19-213-04Aug 1, 2019

CODESYSWAGOBeckhoffManufacturingTransportation

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CODESYS V3 runtime systems and development tools contain a vulnerability in the CmpUserMgr (user management) component that allows attackers on the local network to intercept and steal user credentials transmitted during PLC communication and management operations. The vulnerability affects all versions of CODESYS Control runtime systems (for PFC200, Win V3, RTE V3, Linux, Raspberry Pi, BeagleBone, IOT2000, and other platforms) as well as the CODESYS Development System, Simulation Runtime, and HMI V3 components. Successful exploitation requires network-level access but could enable unauthorized access to modify control logic, configurations, or safety settings.

What this means

What could happen

An attacker with access to network traffic between engineering workstations and PLCs running CODESYS could intercept and steal user credentials, potentially gaining unauthorized access to modify control logic or configurations.

Who's at risk

Manufacturing facilities and transportation systems using CODESYS-based PLCs and controllers from WAGO, Beckhoff, and other vendors rely on these platforms for process automation, safety interlocks, and equipment control. Anyone managing, configuring, or monitoring CODESYS-based systems should be concerned—this affects engineering workstations, runtime systems on production hardware (PLC controllers), and development environments.

How it could be exploited

An attacker positioned on the same network segment as CODESYS devices (LAN access) could passively intercept PLC traffic to capture unencrypted or weakly protected user credentials transmitted during authentication or management operations. This requires network sniffing capability but no interaction with the device itself.

Prerequisites

Network access to the local network segment where CODESYS devices communicate
Ability to sniff/capture network traffic (attacker on the same LAN or compromised network infrastructure)
CODESYS devices actively communicating with engineering workstations or other management tools

No patch available from vendorAffects all CODESYS product versionsRequires local network access (not remotely exploitable over Internet)Credential theft could lead to unauthorized process modificationsImpacts both development systems and production control hardware

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (17)

13 with fix4 pending

ProductAffected VersionsFix Status

EC300≤ 03.06.19(18)No fix yet

PFC 100≤ 03.06.19(18)No fix yet

PFC 200≤ 03.06.19(18)No fix yet

TP600≤ 03.06.19(18)No fix yet

CODESYS Control Win V3 (also part of the CODESYS Development System setup) containing the CmpUserMgr component: all versionsAll versions3.5.16.0

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGEnsure control system networks are not directly accessible from the Internet and use firewalls to block inbound access

WORKAROUNDIf remote access to engineering workstations is required, enforce use of encrypted VPN connections to management interfaces

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS V3 runtime components to Version 3.5.16.0 or later when vendor releases the patch

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate CODESYS control devices on a separate VLAN from the general business network

HARDENINGDeploy packet capture monitoring and firewall rules to restrict traffic between engineering workstations and PLCs to only necessary management ports

CVEs (4)

CVE-2019-9011 CVE-2020-12067 CVE-2020-12069 CVE-2019-9013

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6c7e6fc9-f9f6-4b68-ac16-a75920c854d1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.