OTPulse
FeedAboutContact

CODESYS Development System

Low Risk3.3ICS-CERT ICSA-23-236-04Aug 24, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

CODESYS Development System versions prior to 3.5.19.20 contain an improper access control vulnerability (CWE-345) that allows a local attacker with a user account on the workstation to read stored account credentials. This does not affect deployed control devices themselves, only the engineering workstations used to program them. Exploitation requires local access; remote exploitation is not possible.

What this means
What could happen
A local attacker with user-level access to a workstation running CODESYS Development System could read account credentials stored on that machine, potentially compromising engineering accounts used to program and maintain control systems.
Who's at risk
Engineering teams and plant operators who use CODESYS Development System on workstations are affected. This includes water utilities, electric utilities, manufacturing facilities, and any organization using CODESYS to program PLCs, HMIs, or other industrial control devices. The risk is elevated if engineering workstations are shared among multiple users or not physically secured.
How it could be exploited
An attacker with local access (physical or via workstation compromise) can read stored account information from the CODESYS Development System configuration. This requires the attacker to already have a user account on the workstation—not a remote threat, but a risk if workstations are shared or if an attacker gains initial access through phishing or social engineering.
Prerequisites
  • Local user account on the workstation running CODESYS Development System
  • CODESYS Development System version prior to 3.5.19.20 installed
Low complexity attack requiredNo authentication bypass needed (requires existing user account)Local access only (not remotely exploitable)Affects engineering tools used to control critical infrastructure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
CODESYS Development System: < 3.5.19.20< 3.5.19.203.5.19.20
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGRestrict local access to engineering workstations—ensure they are not left unattended and require strong passwords or multi-factor authentication for user login
WORKAROUNDReview and disable storage of credentials in CODESYS if the application supports credential management alternatives (check CODESYS documentation)
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Development System to version 3.5.19.20 or later using the CODESYS Installer or CODESYS Store
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/29a1a4cb-755b-4eec-8395-7fe4911374eb
CODESYS Development System | CVSS 3.3 - OTPulse