CODESYS Runtime Vulnerabilities

Plan Patch8.8SEVD-2023-101-01Apr 11, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in CODESYS Runtime embedded in Schneider Electric controllers could result in denial of service or remote code execution. Affected products include PacDrive 3 Controllers (LMC Eco/Pro/Pro2), Modicon Controllers (M241, M251, M262, M258, M218, LMC058), and Harmony HMISCU. Successful exploitation could compromise controller integrity and allow attackers to alter logic or change permissions on industrial control devices. Most products have no fix available; partial remediation exists for CVE-2022-4224 in select models via firmware updates delivered through Machine Expert v2.2 or Vijeo Designer v6.3.1.

What this means

What could happen

An attacker with network access and valid engineering credentials could remotely execute code on your Modicon or PacDrive controllers, potentially stopping production or altering process logic. Most affected controllers have no available patch, leaving systems vulnerable to denial of service attacks and logic tampering.

Who's at risk

Energy utilities and manufacturing facilities using Schneider Electric automation controllers should prioritize this issue. Specifically: energy sector operators managing power distribution or generation with Modicon M-series controllers, manufacturing plants running PacDrive 3 LMC systems, and facilities using Harmony HMISCU human-machine interfaces. The issue affects controllers at all firmware versions currently deployed.

How it could be exploited

An attacker with low-privilege access to the automation network could exploit these CODESYS Runtime vulnerabilities to bypass authentication or inject malicious code into the controller. The attack requires network connectivity to the controller and valid engineering workstation credentials to deploy the exploit through the engineering software interface.

Prerequisites

Network access to the CODESYS Runtime service on affected controllers (typically port 2455 or 11740)
Valid engineering workstation credentials or access to the engineering software (Machine Expert or Vijeo Designer)
Access to the controller management interface to deploy code or firmware updates
Typically requires intra-plant network access; not remotely exploitable across internet without VPN/DMZ exposure

No patch available for most affected products (M218, M258, LMC058 unpatched)Partial fix only for CVE-2022-4224, other CODESYS vulnerabilities remainRequires valid credentials but low authentication complexity once inside networkRemote code execution possible if exploitedAffects safety-critical industrial control systemsLogic integrity and permission attacks possible

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (9)

3 with fix2 pending4 EOL

ProductAffected VersionsFix Status

Modicon Controller M241 All VersionsAll versionsFirmware delivered with Machine Expert v2.2 (CVE-2022-4224 only)

PacDrive 3 Controllers: LMC Eco/Pro/Pro2 All VersionsAll versionsNo fix yet

Modicon Controller M251 All VersionsAll versionsFirmware delivered with Machine Expert v2.2 (CVE-2022-4224 only)

PacDrive Controller LMC078 All VersionsAll versionsNo fix (EOL)

Modicon Controller M262 All VersionsAll versionsFirmware delivered with Machine Expert v2.2 (CVE-2022-4224 only)

Modicon Controller M258 All VersionsAll versionsNo fix (EOL)

Modicon Controller M218 All VersionsAll versionsNo fix (EOL)

Modicon Controller LMC058 All VersionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDRestrict network access to CODESYS Runtime ports (2455, 11740) to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Machine Expert to v2.2 on the engineering workstation and deploy latest firmware to Modicon M241, M251, and M262 controllers, then perform controller reboot

HOTFIXUpdate Vijeo Designer to v6.3.1 on the engineering workstation and redeploy project file to Harmony HMISCU Controller to address CVE-2022-4224

HOTFIXUpdate PacDrive 3 Controllers (LMC Eco/Pro/Pro2) firmware via Machine Expert v2.2 and reboot

HARDENINGAudit and enforce strong credentials for all engineering workstations and limit access to authorized personnel only

HARDENINGMonitor CODESYS Runtime logs and controller audit trails for unauthorized code deployment or access attempts

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: PacDrive Controller LMC078 All Versions, Modicon Controller M258 All Versions, Modicon Controller M218 All Versions, Modicon Controller LMC058 All Versions. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate automation controllers from general IT network and untrusted traffic sources

CVEs (3)

CVE-2023-28355 CVE-2022-4046 CVE-2022-4224

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d63c07f8-ea28-4d72-8f88-d79717596437