FESTO CODESYS

Act Now9.8ICS-CERT ICSA-25-182-03Dec 3, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An unauthenticated attacker can send crafted requests to CODESYS Gateway Server V2 to cause denial of service by exhausting memory or consuming all available TCP connections. Additionally, passwords are insufficiently validated during login, allowing potential authentication bypass. All versions prior to V2.3.9.38 are affected.

What this means

What could happen

An attacker can crash or degrade the CODESYS Gateway Server by exhausting memory or TCP connections, or bypass login by exploiting weak password validation. This could prevent remote engineering access and monitoring of the control system.

Who's at risk

Water authorities and electric utilities using CODESYS V2 runtime for industrial controllers and PLCs. Any facility relying on CODESYS Gateway Server for remote engineering access, program uploads, or remote monitoring is affected. This includes both legacy control systems running V2 and modernized deployments if still using V2 products.

How it could be exploited

An attacker sends malformed or excessive requests over the network to the CODESYS Gateway Server port (typically 2455 or 11740) without authentication. The server fails to properly validate request size or connection limits, causing memory exhaustion (out-of-memory crash) or TCP connection exhaustion (denial of service). Alternatively, the attacker sends login requests with insufficiently validated passwords to bypass authentication.

Prerequisites

Network access to CODESYS Gateway Server port (default 2455 or 11740)
No credentials required

remotely exploitableno authentication requiredlow complexitydenial of service via resource exhaustionauthentication bypass

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

CODESYS provided by Festo all versionsAll versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGIsolate CODESYS Gateway Server and controllers to a protected network segment not accessible from outside or untrusted networks

WORKAROUNDImplement firewall rules to restrict access to CODESYS Gateway Server ports (2455, 11740) to only authorized engineering workstations and management systems

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CODESYS Gateway Server to version V2.3.9.38 or later

HARDENINGEnable and enforce user management and password policies in CODESYS to require strong passwords

HARDENINGEnable encrypted communication (SSL/TLS) for CODESYS Gateway Server connections

Long-term hardening

0/1

HARDENINGDeploy VPN tunnels for any required remote access to CODESYS systems rather than exposing the Gateway directly

CVEs (3)

CVE-2022-31802 CVE-2022-31803 CVE-2022-31804

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7499e922-2a43-47fb-a042-b411c84cd7df