CODESYS Development System

Plan PatchCVSS 7.3ICS-CERT ICSA-23-236-03Jul 28, 2023

CODESYSPhoenix ContactWAGOBeckhoffManufacturing

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

The CODESYS Development System versions 3.5.17.0 through 3.5.19.19 contain a binary planting vulnerability (CWE-427) where a local attacker can place a malicious executable in a directory that the application searches during startup or operation. When a user launches the application or an associated process, the system may execute the attacker's binary instead of the legitimate one, giving the attacker code execution in the context of the user running CODESYS.

What this means

What could happen

An attacker with local access to an engineering workstation could trick a user into running a malicious program by exploiting how the CODESYS Development System launches applications, potentially compromising the development environment and any projects it contains.

Who's at risk

Engineering teams and automation contractors who use CODESYS Development System for PLC and industrial controller programming. This affects anyone developing automation logic for water treatment, wastewater, power systems, or other critical infrastructure that relies on CODESYS-based control systems.

How it could be exploited

An attacker must first gain local access to the machine running CODESYS Development System. The attacker then places a malicious binary in a location where CODESYS will search for it (likely a DLL or executable in the system path or application directory). When a user launches the application or performs an action that triggers application execution, the system runs the attacker's malicious binary instead of the legitimate one.

Prerequisites

Local access to the engineering workstation running CODESYS
Ability to write files to directories in the application search path
User action required (clicking a link, opening a file, or launching the application)

Requires local access to exploitationUser interaction requiredAffects software development environmentCould compromise control logic and project files

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (28)

20 with fix8 pending

ProductAffected VersionsFix Status

Basic Controller 100≤ FW2No fix yet

Compact Controller 100≤ FW25No fix yet

EC 300≤ FW25No fix yet

e!COCKPIT≤ 1.11.2.0No fix yet

PFC 100≤ FW22 Patch 1No fix yet

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGEducate users not to click on web links or open attachments from unsolicited emails that could lead to malicious file placement

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Development System

HOTFIXUpdate CODESYS Development System to version 3.5.19.20 or later

Long-term hardening

0/1

HARDENINGApply principle of least privilege: restrict local user account permissions on development workstations to prevent unauthorized file placement in system directories

CVEs (17)

CVE-2023-37559 CVE-2023-37557 CVE-2023-37555 CVE-2023-37553 CVE-2023-37552 CVE-2023-37551 CVE-2023-37550 CVE-2023-37549 CVE-2023-37548 CVE-2023-37547 CVE-2023-37545 CVE-2023-37546 CVE-2023-3670 CVE-2023-37558 CVE-2023-37556 CVE-2023-37554 CVE-2023-3662

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b5bc7d45-b417-480c-a09d-ffcd3b22ccd5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.