3S-Smart Software Solutions GmbH CODESYS V3 Web Server
Act Now10ICS-CERT ICSA-19-255-01Sep 12, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The CODESYS V3 web server component (CmpWebServer) contains path traversal and buffer overflow vulnerabilities that allow unauthenticated remote attackers to access restricted files or execute arbitrary code. The vulnerabilities affect all versions of CODESYS Control runtime systems prior to 3.5.14.10, including embedded runtimes for Beckhoff CX controllers, WAGO PFC200/PFC100, Raspberry Pi, BeagleBone, and Linux-based systems. Exploitation requires only network access to the web server port and does not require valid credentials or user interaction. Successful exploitation can result in complete compromise of the controller, allowing arbitrary code execution, file access, or denial of service.
What this means
What could happen
An attacker with network access to a CODESYS web server could execute arbitrary code on the controller, alter process logic, or cause a denial of service, disrupting manufacturing operations. This could also allow unauthorized access to engineering files and system configurations.
Who's at risk
Manufacturing facilities running CODESYS V3 runtime systems on Beckhoff CX embedded controllers, WAGO PFC industrial controllers, or Linux-based runtime platforms. This includes facilities using CODESYS for process automation, motion control, or HMI (human-machine interface) visualization. Organizations using legacy CODESYS Control Win V3 should note that no patch is available for that product line.
How it could be exploited
An attacker sends a specially crafted HTTP request to the unprotected CODESYS web server listening on port 8080 or another configured port. The vulnerability in CmpWebServer (path traversal or buffer overflow) allows the request to bypass file access controls or overwrite memory. No authentication is required, and the attacker does not need to know valid credentials or interact with the operator.
Prerequisites
- Network access to the CODESYS web server port (default 8080)
- CODESYS web server must be enabled on the target device
- No authentication required
Remotely exploitableNo authentication requiredLow attack complexityHigh CVSS severity (10.0)Affects safety-critical and process-critical controllersMultiple affected product lines (embedded, Linux, Windows)No fix available for CODESYS Control Win V3
Exploitability
Moderate exploit probability (EPSS 2.4%)
Affected products (14)
13 with fix1 EOL
ProductAffected VersionsFix Status
CODESYS Control RTE V3 (for Beckhoff CX) containing the webserver CmpWebServer: all< 3.5.14.103.5.14.10
CODESYS Control RTE V3 containing the webserver CmpWebServer: all< 3.5.14.103.5.14.10
CODESYS Control Win V3 (also part of the CODESYS Development System setup) containing the webserver CmpWebServer: all< 3.5.14.10No fix (EOL)
CODESYS Control for emPC-A/iMX6 containing the webserver CmpWebServer: all< 3.5.14.103.5.14.10
CODESYS Control for Linux containing the webserver CmpWebServer: all< 3.5.14.103.5.14.10
CODESYS Control V3 Runtime System Toolkit containing the webserver CmpWebServer: all< 3.5.14.103.5.14.10
CODESYS Control for Raspberry Pi containing the webserver CmpWebServer: all< 3.5.14.103.5.14.10
CODESYS Control for BeagleBone containing the webserver CmpWebServer: all< 3.5.14.103.5.14.10
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDDisable the CODESYS web server if not required for operations; restrict HTTP/HTTPS access via firewall rules to only authorized engineering workstations
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate CODESYS Control runtime to version 3.5.14.10 or later
WORKAROUNDUse a VPN or secure tunnel if remote access to CODESYS is needed for diagnostics or updates
HARDENINGEnable user management and enforce strong passwords on all CODESYS controller accounts
Mitigations - no patch available
0/1CODESYS Control Win V3 (also part of the CODESYS Development System setup) containing the webserver CmpWebServer: all has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate CODESYS controllers on a separate network segment not directly accessible from office networks or the Internet
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6cd9eb3b-bbf5-42ea-b864-c073fa4faf61