CODESYS V2 web server

Plan PatchCVSS 9.8ICS-CERT ICSA-21-173-02Jun 22, 2021

CODESYS

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CODESYS V2 web server contains multiple memory safety vulnerabilities (buffer overflows, bounds checking errors) in versions prior to 1.1.9.20. These vulnerabilities allow unauthenticated remote attackers to read or write arbitrary memory and files in the CODESYS Control runtime system, execute code through invalid memory access, or crash the web server and runtime. No vendor patch is available. CODESYS V2 is end-of-life; vendor recommends migration to supported versions.

What this means

What could happen

An attacker could read or write arbitrary data in memory on the CODESYS Control runtime, potentially extracting sensitive program logic or modifying process parameters. Exploitation could also crash the web server or runtime system, interrupting production operations.

Who's at risk

Facility managers and automation engineers running CODESYS V2 control systems should care. This affects PLC/PAC runtime environments used to control manufacturing processes, water treatment systems, power distribution, or other critical industrial equipment. Any facility using CODESYS V2 as a runtime platform for process automation is at risk.

How it could be exploited

An attacker with network access to the CODESYS V2 web server (default port 8080 or custom) can send crafted requests that trigger memory access violations. These vulnerabilities (buffer overflows, improper bounds checking) can be exploited to read sensitive data, write malicious payloads, or cause the runtime to crash without requiring authentication.

Prerequisites

Network access to CODESYS V2 web server (typically port 8080)
No authentication required
CODESYS V2 runtime running stand-alone or as part of CODESYS Control system

remotely exploitableno authentication requiredlow complexity attackno patch availableaffects runtime control systemaffects safety-critical logic

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (1)

ProductAffected VersionsFix Status

CODESYS reports all CODESYS V2 web servers running stand-alone or as part of the CODESYS runtime system: prior to< 1.1.9.20No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate CODESYS V2 systems from untrusted networks using network segmentation or firewall rules; restrict web server access to engineering workstations only

WORKAROUNDDisable the CODESYS V2 web server if not actively used for remote monitoring or diagnostics

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to the CODESYS web server for suspicious requests or unusual access patterns

Mitigations - no patch available

0/1

CODESYS reports all CODESYS V2 web servers running stand-alone or as part of the CODESYS runtime system: prior to has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMigrate to a supported version of CODESYS (V3 or later) as part of long-term asset modernization planning

CVEs (6)

CVE-2021-30189 CVE-2021-30190 CVE-2021-30191 CVE-2021-30192 CVE-2021-30193 CVE-2021-30194

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/77acdacf-1f30-4ecf-a7a8-ac42cf4b9f66

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.