OTPulse
FeedAboutContact

CODESYS Development System

Act Now9.6ICS-CERT ICSA-23-236-05Aug 24, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

The CODESYS Development System versions 3.5.11.0 through 3.5.19.19 contain a man-in-the-middle vulnerability (CWE-345) that allows an attacker positioned on the network path between the development workstation and a remote PLC to intercept unprotected communications and inject arbitrary code into programs being downloaded or compiled. Successful exploitation results in arbitrary code execution on the target runtime system.

What this means
What could happen
An attacker could intercept communications between CODESYS Development System and a remote runtime and inject malicious code into PLC programs during download or compilation, resulting in arbitrary code execution on connected industrial devices.
Who's at risk
Organizations using CODESYS Development System for PLC programming should care, particularly those with remote engineering access, distributed control systems, or systems that allow remote program downloads. This affects automation engineers, system integrators, and any facility operating CODESYS-based equipment including water treatment, power distribution, manufacturing, and process control environments.
How it could be exploited
An attacker positioned on the network path between a CODESYS Development System and a remote PLC performs a man-in-the-middle attack on the unprotected communication channel. The attacker intercepts the traffic, modifies the code or program data being sent, and injects arbitrary instructions that execute on the target device when the PLC runs the program.
Prerequisites
  • Network access to communication channel between CODESYS Development System and remote PLC/runtime
  • User interaction: engineer must initiate a program download or remote connection
  • CODESYS Development System version 3.5.11.0 through 3.5.19.19
Remotely exploitableLow complexity attackRequires user interaction (code download initiation)High CVSS score (9.6)Affects safety-critical control systemsMan-in-the-middle attack vector
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (1)
ProductAffected VersionsFix Status
CODESYS Development System: >= 3.5.11.0 | < 3.5.19.20≥ 3.5.11.0 | < 3.5.19.203.5.19.20
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGUse VPN or other secure encrypted channels when remote program downloads are required; ensure VPN is kept current with security updates
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Development System to version 3.5.19.20 or later
Long-term hardening
0/1
HARDENINGIsolate CODESYS Development System and engineering workstations from business network and Internet using firewalls and network segmentation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/4afaaad9-9a6f-4672-a195-a5755535648f