3S-Smart Software Solutions GmbH CODESYS Control V3 OPC UA Server

MonitorCVSS 6.5ICS-CERT ICSA-19-255-04Sep 12, 2019

CODESYSWAGOBeckhoff

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The CODESYS Control OPC UA server contains a null pointer dereference vulnerability (CWE-476) that can be triggered by a malformed OPC UA request from an authenticated user. The flaw exists in all versions from 3.5.11.0 through 3.5.15.0 across all CODESYS Control platforms including runtime systems for Beckhoff, WAGO, Raspberry Pi, BeagleBone, and Windows systems. Successful exploitation causes the OPC UA server to crash, resulting in denial of service for applications relying on that server for real-time data exchange or commands.

What this means

What could happen

An attacker with network access and valid user credentials can send a malformed OPC UA request to the CODESYS OPC UA server, causing it to crash and stop responding. This disrupts communication with any applications that depend on the server for real-time data or control commands.

Who's at risk

Water and electric utilities, manufacturing facilities, and infrastructure operators running CODESYS-based controllers (including Beckhoff, WAGO, and other industrial PLCs) that use the OPC UA server for process monitoring or remote system integration. This affects both development systems and runtime controllers on edge devices like Raspberry Pi, BeagleBone, and industrial PCs.

How it could be exploited

An attacker with network access to the OPC UA server port (typically 4840) and valid user credentials sends a specially crafted OPC UA request. The server fails to validate the request properly, triggering a null pointer dereference that crashes the OPC UA service.

Prerequisites

Network access to OPC UA server port (default 4840)
Valid OPC UA user credentials
OPC UA service must be enabled

remotely exploitablerequires valid credentialsaffects OPC UA service availabilityno patch available for affected versions

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

CODESYS Control RTE V3 (for Beckhoff CX): all≥ 3.5.11.0 | ≤ 3.5.15.03.5.15.0

CODESYS Control for IOT2000: all≥ 3.5.11.0 | ≤ 3.5.15.03.5.15.0

CODESYS Control for BeagleBone: all≥ 3.5.11.0 | ≤ 3.5.15.03.5.15.0

CODESYS Control for PFC200: all≥ 3.5.11.0 | ≤ 3.5.15.03.5.15.0

CODESYS Control for emPC-A/iMX6: all≥ 3.5.11.0 | ≤ 3.5.15.03.5.15.0

CODESYS Control for Raspberry Pi: all≥ 3.5.11.0 | ≤ 3.5.15.03.5.15.0

CODESYS Control for PFC100: all≥ 3.5.11.0 | ≤ 3.5.15.03.5.15.0

CODESYS Control RTE V3: all≥ 3.5.11.0 | ≤ 3.5.15.03.5.15.0

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to the OPC UA server port using firewall rules; allow connections only from authorized engineering workstations and SCADA systems

WORKAROUNDDisable OPC UA service if not actively used in your application

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Control to version 3.5.15.0 or later

Long-term hardening

0/3

HARDENINGEnforce strong user credentials and multi-factor authentication for OPC UA connections

HARDENINGSegment the control system network from corporate IT and external networks using firewalls and air-gapping where possible

HARDENINGUse VPN tunnels for any required remote access to development or control systems

CVEs (1)

CVE-2019-13542

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c24daed8-5816-4bb4-af39-8f0b063ff05e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.