FESTO CODESYS

Plan PatchCVSS 9.8ICS-CERT ICSA-25-182-03Dec 3, 2024

CODESYSFesto

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CODESYS Gateway Server V2 (all versions prior to V2.3.9.38) is vulnerable to two attack vectors: (1) unauthenticated denial-of-service via crafted requests that trigger excessive memory allocation or exhaust TCP client connections, causing the gateway to become unavailable; (2) insufficient password validation during login allowing weak or easily guessed credentials to grant unauthorized access. CODESYS Gateway Server acts as the communication bridge between engineering workstations and industrial controllers (PLCs, RTUs). If the gateway becomes unavailable, operators cannot modify control logic, troubleshoot issues, or deploy updates. If an attacker gains login access, they can view and modify control program code, alter process parameters, or inject malicious logic into the running system.

What this means

What could happen

An unauthenticated attacker on the network could crash the CODESYS Gateway Server by exhausting memory or TCP connections, disrupting communication between engineering workstations and PLCs/controllers, or login to the system with weak password validation allowing unauthorized access to control logic.

Who's at risk

Festo CODESYS Gateway Server V2 operators and industrial facilities using CODESYS for PLC/controller programming and runtime management, including water treatment plants, power distribution systems, manufacturing facilities, and other automation environments where the gateway bridges engineering workstations and control devices.

How it could be exploited

An attacker sends specially crafted requests to the CODESYS Gateway Server (default port 2455) without authentication. The malformed requests trigger excessive memory allocation or exhaust available TCP client connection slots, causing the gateway to become unresponsive. Alternatively, the attacker exploits weak password checking during login to gain unauthorized access to the control environment.

Prerequisites

Network reachability to CODESYS Gateway Server port 2455
No authentication credentials required for denial-of-service attacks
Valid user credentials (weak validation) or ability to guess passwords for unauthorized login

remotely exploitableno authentication required for denial-of-servicelow complexity attackweak password validationaffects control system availabilityno patch available for all versions

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (1)

ProductAffected VersionsFix Status

CODESYS provided by Festo all versionsAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to CODESYS Gateway Server (port 2455) using firewall rules; only allow connections from authorized engineering workstations or specific IP ranges

HARDENINGEnforce strong password policies for all CODESYS user accounts (minimum 12 characters, mixed case, numbers, special characters)

HARDENINGDisable remote access to the CODESYS Gateway Server from external networks; require VPN with multi-factor authentication for any remote engineering access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Gateway Server to version V2.3.9.38 or later

Long-term hardening

0/1

HARDENINGIsolate the CODESYS control network from general IT networks using network segmentation or VLANs to prevent unauthorized external access

CVEs (3)

CVE-2022-31802 CVE-2022-31803 CVE-2022-31804

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7499e922-2a43-47fb-a042-b411c84cd7df

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.