OTPulse

CODESYS Runtime Vulnerabilities

Plan PatchCVSS 8.8SEVD-2023-101-01Apr 11, 2023
Schneider ElectricCODESYSEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Multiple vulnerabilities in CODESYS Runtime embedded in Schneider Electric controllers could result in denial of service or remote code execution. Affected products include PacDrive 3 Controllers (LMC Eco/Pro/Pro2), Modicon Controllers (M241, M251, M262, M258, M218, LMC058), and Harmony HMISCU. Successful exploitation could compromise controller integrity and allow attackers to alter logic or change permissions on industrial control devices. Most products have no fix available; partial remediation exists for CVE-2022-4224 in select models via firmware updates delivered through Machine Expert v2.2 or Vijeo Designer v6.3.1.

What this means
What could happen
An attacker with network access and valid engineering credentials could remotely execute code on your Modicon or PacDrive controllers, potentially stopping production or altering process logic. Most affected controllers have no available patch, leaving systems vulnerable to denial of service attacks and logic tampering.
Who's at risk
Energy utilities and manufacturing facilities using Schneider Electric automation controllers should prioritize this issue. Specifically: energy sector operators managing power distribution or generation with Modicon M-series controllers, manufacturing plants running PacDrive 3 LMC systems, and facilities using Harmony HMISCU human-machine interfaces. The issue affects controllers at all firmware versions currently deployed.
How it could be exploited
An attacker with low-privilege access to the automation network could exploit these CODESYS Runtime vulnerabilities to bypass authentication or inject malicious code into the controller. The attack requires network connectivity to the controller and valid engineering workstation credentials to deploy the exploit through the engineering software interface.
Prerequisites
  • Network access to the CODESYS Runtime service on affected controllers (typically port 2455 or 11740)
  • Valid engineering workstation credentials or access to the engineering software (Machine Expert or Vijeo Designer)
  • Access to the controller management interface to deploy code or firmware updates
  • Typically requires intra-plant network access; not remotely exploitable across internet without VPN/DMZ exposure
No patch available for most affected products (M218, M258, LMC058 unpatched)Partial fix only for CVE-2022-4224, other CODESYS vulnerabilities remainRequires valid credentials but low authentication complexity once inside networkRemote code execution possible if exploitedAffects safety-critical industrial control systemsLogic integrity and permission attacks possible
Exploitability
Some exploitation risk — EPSS score 1.1%
Affected products (9)
3 with fix2 pending4 EOL
ProductAffected VersionsFix Status
Modicon Controller M241 All VersionsAll versionsFirmware delivered with Machine Expert v2.2 (CVE-2022-4224 only)
PacDrive 3 Controllers: LMC Eco/Pro/Pro2 All VersionsAll versionsNo fix yet
Modicon Controller M251 All VersionsAll versionsFirmware delivered with Machine Expert v2.2 (CVE-2022-4224 only)
PacDrive Controller LMC078 All VersionsAll versionsNo fix (EOL)
Modicon Controller M262 All VersionsAll versionsFirmware delivered with Machine Expert v2.2 (CVE-2022-4224 only)
Modicon Controller M258 All VersionsAll versionsNo fix (EOL)
Modicon Controller M218 All VersionsAll versionsNo fix (EOL)
Modicon Controller LMC058 All VersionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/1
WORKAROUNDRestrict network access to CODESYS Runtime ports (2455, 11740) to authorized engineering workstations only using firewall rules
Schedule — requires maintenance window
0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Machine Expert to v2.2 on the engineering workstation and deploy latest firmware to Modicon M241, M251, and M262 controllers, then perform controller reboot
HOTFIXUpdate Vijeo Designer to v6.3.1 on the engineering workstation and redeploy project file to Harmony HMISCU Controller to address CVE-2022-4224
HOTFIXUpdate PacDrive 3 Controllers (LMC Eco/Pro/Pro2) firmware via Machine Expert v2.2 and reboot
HARDENINGAudit and enforce strong credentials for all engineering workstations and limit access to authorized personnel only
HARDENINGMonitor CODESYS Runtime logs and controller audit trails for unauthorized code deployment or access attempts
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: PacDrive Controller LMC078 All Versions, Modicon Controller M258 All Versions, Modicon Controller M218 All Versions, Modicon Controller LMC058 All Versions. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate automation controllers from general IT network and untrusted traffic sources
View full Schneider Electric advisory
API: /api/v1/advisories/d63c07f8-ea28-4d72-8f88-d79717596437

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

CODESYS Runtime Vulnerabilities | CVSS 8.8 - OTPulse