CODESYS V3 Runtime, Development System, and Gateway Vulnerabilities
Act Now9.8SEVD-2022-011-06Jan 11, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Schneider Electric and CODESYS have disclosed multiple vulnerabilities in CODESYS V3 Runtime, Development System, and Gateway components. These vulnerabilities are embedded in several Schneider products including Modicon M241/M251 controllers, Eurotherm E+PLC100/400 controllers, Harmony HMI panels, and EcoStruxure Machine Expert. Successful exploitation could result in remote code execution on affected controllers or denial of service. The vulnerabilities affect packet parsing (CWE-787), null pointer dereference (CWE-476), and unsafe deserialization (CWE-502) in the CODESYS runtime. No public exploit code exists at this time, but the vulnerabilities are of critical severity and should be addressed immediately.
What this means
What could happen
An attacker with network access to a CODESYS-based system could execute arbitrary commands on the controller or cause it to stop responding, disrupting whatever industrial process it controls—from power distribution to manufacturing automation.
Who's at risk
Water and electric utilities, manufacturing plants, and building automation systems using Schneider Electric or CODESYS-embedded controllers should care. Specifically: Modicon M241/M251 programmable logic controllers (PLCs), Eurotherm E+PLC100/400 controllers, Harmony HMI panels (Easy Harmony ET6/GXU, Magelis HMISTU/HMISCU/HMIGTO/HMIGTU/HMIGTUX/HMIGK series), and any system running the affected versions of EcoStruxure Machine Expert or Vijeo Designer Basic.
How it could be exploited
An attacker sends a specially crafted network packet to the CODESYS Runtime service (typically port 2455 or 11740 depending on the product) without needing credentials. The vulnerability in the runtime's packet parsing allows code execution or memory corruption that crashes the device. The attacker does not need to be authenticated or have special access to the engineering environment.
Prerequisites
- Network access to the CODESYS runtime port (e.g., TCP 2455, 11740, or product-specific port)
- No valid credentials required
- Vulnerable firmware version must be running (see affected product list)
Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.8)Affects control logic executionNo patch available for Eurotherm E+PLC100 (all versions)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (9)
8 with fix1 EOL
ProductAffected VersionsFix Status
Eurotherm E+PLC100 All VersionsAll versionsNo fix (EOL)
M241/M251<5.1.9.345.1.9.34
Eurotherm E+PLC400<1.3.0.11.4.0.0
Eurotherm E+PLC tools≤ 1.3.0.11.4.0.0
Easy Harmony ET6 (HMIET Series) - Vijeo Designer Basic≥ 1.2.1 Hotfix 3V1.2.1 HotFix 4
Easy Harmony GXU (HMIGXU Series) - Vijeo Designer Basic≥ 1.2.1 Hotfix 3V1.2.1 HotFix 4
Harmony/ Magelis HMISTU Series - Vijeo Designer Basic≤ 6.2 SP11 Hotfix 36.2 SP11 Hotfix 4
Harmony/ Magelis HMISCU Series - Vijeo Designer Basic Harmony/ Magelis HMISCU Series<2.0.3Harmony/ Magelis HMISCU Series 2.1.0
Remediation & Mitigation
0/10
Do now
0/5M241/M251
HOTFIXUpdate M241/M251 firmware to version 5.1.9.34 or later using EcoStruxure Machine Expert
Eurotherm E+PLC400
HOTFIXUpdate Eurotherm E+PLC400 firmware to version 1.4.0.0 or later (contact Eurotherm Support with serial numbers)
All products
HOTFIXUpdate E+PLC Tools software to version 1.4.0.0 or later (contact Eurotherm Support)
HARDENINGPlace CODESYS runtime services behind a firewall; restrict network access to engineering workstations and authorized remote access only
HARDENINGDisable remote network access to CODESYS devices if not required for operations
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
EcoStruxure Machine Expert
HOTFIXUpdate EcoStruxure Machine Expert to version 2.0.3 or later on engineering workstations
All products
HOTFIXUpdate Vijeo Designer Basic to version 1.2.1 HotFix 4 or later and download updated HMI firmware to affected Harmony panels (Easy Harmony ET6/GXU series)
HOTFIXUpdate Harmony/Magelis HMISTU Series to version 6.2 SP11 HotFix 4 or later via Vijeo Designer Basic
HOTFIXUpdate Harmony/Magelis HMISCU Series to version 2.1.0 or later via Vijeo Designer Basic
Mitigations - no patch available
0/1Eurotherm E+PLC100 All Versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate CODESYS controllers from untrusted networks
CVEs (9)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/48054883-5f0a-45cf-ae6f-898453aa91c1