Pilz: Multiple vulnerabilities in CODESYS V2 and V3 runtime system

Plan PatchCVSS 9.8VDE-2021-054Apr 26, 2022

CODESYSPilzManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in the CODESYS V2 and V3 runtime systems used by Pilz motion controllers and operator terminals. These runtime environments enable execution of IEC 61131-3 PLC programs. An attacker on the network can exploit these vulnerabilities to reduce availability and, in worst case scenarios, insert malicious program code into the controller. Vulnerabilities include buffer overflows, null pointer dereferences, improper input validation, and lack of security checks. The CODESYS V2 runtime is no longer supported by Pilz but remains included for compatibility. PMCprimo C and PMI 6 primo have no fix available.

What this means

What could happen

An attacker with network access to these controllers could execute arbitrary code or cause operational failures. In the worst case, an attacker could alter PLC program behavior, modify safety-critical control logic, or halt machine operations.

Who's at risk

Manufacturing facilities using Pilz motion controllers (PMCprimo C, C2.0, C2.1, MC) and operator terminals (PMI 6 primo) should review their deployments immediately. These devices control machine motion and safety-critical operations in production lines and automation systems.

How it could be exploited

An attacker on the network sends malformed or malicious packets to the CODESYS runtime system listening on the network port. The runtime system fails to properly validate or bounds-check the input, allowing the attacker to inject code or trigger a crash. No authentication is required.

Prerequisites

Network access to the controller (CODESYS runtime port)
No credentials required

remotely exploitableno authentication requiredlow complexityaffects safety systemsno patch available for some products

Exploitability

Some exploitation risk — EPSS score 4.3%

Affected products (5)

3 with fix2 EOL

ProductAffected VersionsFix Status

Motion controller PMCprimo CAll versionsNo fix (EOL)

Motion controller PMCprimo C2.0 (plug-in card)≤ 03.07.0003.08.00

Motion controller PMCprimo C2.1 (housing version)≤ 03.07.0003.08.00

Motion controller PMCprimo MC≤ 03.07.0003.08.00

Operator terminal/controller PMI 6 primoAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGImplement network segmentation to restrict access to controller network ports from only authorized engineering workstations and control systems

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Motion controller PMCprimo C2.0 (plug-in card)

HOTFIXUpdate PMCprimo C2.0 and PMCprimo C2.1 (plug-in card or housing) to firmware version 03.08.00

All products

HOTFIXUpdate PMCprimo MC to firmware version 03.08.00

HOTFIXMigrate applications from CODESYS V2 runtime system to CODESYS V3 runtime system

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Motion controller PMCprimo C, Operator terminal/controller PMI 6 primo. Apply the following compensating controls:

HARDENINGDisable unnecessary network services and ports on affected controllers if supported by firmware

CVEs (18)

CVE-2021-36764 CVE-2021-34596 CVE-2021-34595 CVE-2021-34593 CVE-2021-30195 CVE-2021-30188 CVE-2021-29242 CVE-2021-29241 CVE-2020-7052 CVE-2020-6081 CVE-2020-12069 CVE-2020-12067 CVE-2019-9013 CVE-2019-9011 CVE-2019-9009 CVE-2019-5105 CVE-2019-19789 CVE-2021-30186

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d01b6527-400b-4f80-86f2-5d740f9303d6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.