CODESYS Control V2 communication
Plan PatchCVSS 9.8ICS-CERT ICSA-21-173-03Jun 22, 2021
Schneider ElectricCODESYSEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Buffer overflow vulnerabilities in CODESYS Runtime Toolkit 32-bit full and PLCWinNT (versions prior to 2.4.7.55) allow remote code execution or denial of service. Malformed network messages can trigger heap-based buffer overflow, stack-based buffer overflow, or buffer over-read conditions in the affected products, potentially allowing an attacker to execute arbitrary commands on the PLC or crash the runtime and stop process control.
What this means
What could happen
An attacker with network access could trigger a buffer overflow in the CODESYS runtime, causing the PLC to crash and halt process control, or potentially execute arbitrary code to alter setpoints, disable safety functions, or manipulate equipment operation.
Who's at risk
Manufacturing facilities using CODESYS Control V2 runtime environments should prioritize this: the vulnerability affects CODESYS Runtime Toolkit 32-bit full and PLCWinNT versions used in industrial automation systems to control PLCs and machinery. Any facility relying on CODESYS-based controllers for process automation, packaging lines, or production control is at risk if their systems are networked or accessible remotely.
How it could be exploited
An attacker sends a specially crafted network message to the CODESYS runtime service (typically listening on the local network). The malformed data triggers a heap or stack buffer overflow in the message parsing code, either crashing the process (denial of service) or allowing code execution with the privileges of the runtime service.
Prerequisites
- Network access to the CODESYS Runtime or PLCWinNT service port (typically port 11740 for CODESYS v2)
- No authentication required to send malicious packets
- CODESYS Runtime or PLCWinNT service must be running and exposed to network
Remotely exploitable over networkNo authentication requiredLow attack complexityHigh CVSS score (9.8)Affects legacy systems (CODESYS V2)Can cause denial of service or enable code executionAffects control system runtime
Exploitability
Unlikely to be exploited — EPSS score 0.6%
Affected products (3)
2 with fix1 EOL
ProductAffected VersionsFix Status
CODESYS Runtime Toolkit 32-bit full: prior to v2.4.7.55< 2.4.7.552.4.7.55
CODESYS PLCWinNT: prior to v2.4.7.55< 2.4.7.552.4.7.55
Programmable Automation Controller (PacDrive) M All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDImplement firewall rules to block unauthorized network access to CODESYS Runtime ports from outside the control system network
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate CODESYS Runtime Toolkit 32-bit full to version 2.4.7.55 or later
HOTFIXUpdate CODESYS PLCWinNT to version 2.4.7.55 or later (or update CODESYS Development System setup to v2.3.9.66 or later)
Mitigations - no patch available
0/4Programmable Automation Controller (PacDrive) M All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate CODESYS-based systems on a protected control network segment separate from office networks and the internet
HARDENINGDisable remote access to CODESYS systems unless required; if remote access is needed, route all connections through a VPN with strong authentication
HARDENINGEnable CODESYS user management and password protection features
HARDENINGUse encrypted communication links for CODESYS operations
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/222bd98e-86e0-4633-ba17-6944b60d4147Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.