3S-Smart Software Solutions GmbH CODESYS Control V3 Online User Management
Plan Patch8.8ICS-CERT ICSA-19-255-03Sep 12, 2019
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
CODESYS Control and HMI products with versions below 3.5.13.0 contain an improper permissions configuration in the CmpUserMgr component (CWE-732). This allows an authenticated user to bypass role-based access controls and access functionality and information restricted to higher-privilege users. The vulnerability affects CODESYS runtime on multiple platforms including Beckhoff CX, WAGO PFC controllers, Raspberry Pi, BeagleBone, emPC-A/iMX6, IOT2000, and Windows systems, as well as CODESYS HMI V3 and the CODESYS Development System simulation runtime.
What this means
What could happen
An authenticated user with network access could bypass user management restrictions in CODESYS controllers and HMI systems, gaining access to functions and data they should not be able to reach. This could allow an insider or an attacker with valid credentials to alter program logic, change setpoints, or disable safety interlocks.
Who's at risk
Manufacturing plants and utilities running CODESYS Control runtime on Beckhoff CX, WAGO PFC, Siemens IOT2000, Raspberry Pi, BeagleBone, or Windows systems, as well as any CODESYS HMI deployments. This includes facilities using CODESYS as their primary PLC or soft-controller programming platform for industrial automation, process control, or safety-critical systems.
How it could be exploited
An attacker with valid credentials connects to a CODESYS Control or HMI instance over the network. The attacker exploits a flaw in the CmpUserMgr component to bypass role-based access controls, allowing them to execute actions restricted to higher-privilege users without proper authorization.
Prerequisites
- Valid CODESYS user credentials
- Network access to the CODESYS Control or HMI service port
- Service running with CmpUserMgr component enabled
- User management feature in use (not in full-access mode)
Remotely exploitableRequires valid credentialsAffects user role isolationLow complexity attackVendor patch availableAffects multiple controller platforms
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (11)
11 with fix
ProductAffected VersionsFix Status
CODESYS Control RTE V3 containing the CmpUserMgr: all< 3.5.13.03.5.13.0
CODESYS V3 Simulation Runtime (part of the CODESYS Development System) containing the CmpUserMgr: all< 3.5.13.03.5.13.0
CODESYS Control RTE V3 (for Beckhoff CX) containing the CmpUserMgr: all< 3.5.13.03.5.13.0
CODESYS HMI V3 containing the CmpUserMgr: all< 3.5.13.03.5.13.0
CODESYS Control for emPC-A/iMX6 containing the CmpUserMgr: all< 3.5.13.03.5.13.0
CODESYS Control for Raspberry Pi containing the CmpUserMgr: all< 3.5.13.03.5.13.0
CODESYS Control for PFC200 containing the CmpUserMgr: all< 3.5.13.03.5.13.0
CODESYS Control Win V3 (also part of the CODESYS Development System setup) containing the CmpUserMgr: all< 3.5.13.03.5.13.0
Remediation & Mitigation
0/6
Do now
0/3WORKAROUNDImplement network firewall rules to restrict access to CODESYS Control and HMI ports (typically 11740) to authorized engineering workstations and control networks only
HARDENINGImplement VPN requirement for any remote access to CODESYS controllers or HMI systems
HARDENINGEnsure user management and strong password policies are active on all CODESYS systems
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate CODESYS Control and HMI runtime to version 3.5.13.0 or later
Long-term hardening
0/2HARDENINGPhysically restrict access to development systems and controller programming interfaces
HARDENINGSegment CODESYS control systems from corporate IT networks using firewalls and VLANs
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c2b73bc6-2a6b-418c-a147-84293b8d4bee