WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 and WebVisualisation

Plan PatchCVSS 9.1VDE-2021-056Nov 16, 2021

CODESYSWAGOManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in CODESYS 2.3 Runtime and WebVisualisation affect WAGO PLC controllers. The vulnerabilities include buffer overflows (CWE-126, CWE-823, CWE-122), improper error handling (CWE-252), and null pointer dereference (CWE-476), which could lead to denial of service or information disclosure. All WAGO 750-series Ethernet controllers and PFC200 controllers running CODESYS 2.3 Runtime with firmware versions listed in the affected products table are vulnerable. Vendors have released fixed firmware versions for all affected models.

What this means

What could happen

Multiple memory corruption and access vulnerabilities in CODESYS 2.3 Runtime could allow an attacker to crash your PLC or potentially execute arbitrary code, disrupting production processes and equipment control.

Who's at risk

Manufacturing facilities using WAGO PLC controllers (750-series Ethernet or PFC200 series) running CODESYS 2.3 Runtime are affected. This includes plants relying on these PLCs for process automation, motion control, or equipment safety logic.

How it could be exploited

An attacker with network access to the PLC could send specially crafted requests to the CODESYS 2.3 Runtime (default port 2455) or WebVisualisation interface to trigger buffer overflows, out-of-bounds memory access, or null pointer dereference, leading to process termination or code execution.

Prerequisites

Network access to port 2455 (CODESYS Runtime) or WebVisualisation interface
No authentication required

remotely exploitableno authentication requiredlow complexityaffects industrial control systemshigh CVSS score (9.1)

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

750-8202/xxx-xxx≤ 03.07.14 (19)FW20

750-8203/xxx-xxx≤ 03.07.14 (19)FW20

750-8204/xxx-xxx≤ 03.07.14 (19)FW20

750-8206/xxx-xxx≤ 03.07.14 (19)FW20

750-8207/xxx-xxx≤ 03.07.14 (19)FW20

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable CODESYS 2.3 WebVisualisation feature on all affected PLCs.

WORKAROUNDDisable or restrict access to CODESYS 2.3 port 2455 using firewall rules; block inbound traffic to this port from untrusted networks.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

750-823

HOTFIXUpdate PLC firmware to the fixed versions listed in the advisory: 750-823 to FW10 or later, 750-829/831/852/880/881/882/885/889 to FW17 or later, 750-832/862/890/891/893 to FW10 or later, and 750-8202/8203/8204/8206/8207/8208/8210/8211/8212/8213/8214/8216/8217 to FW20 or later.

Long-term hardening

0/1

HARDENINGRestrict network access to affected PLCs; do not allow direct connectivity from untrusted networks or the internet.

CVEs (6)

CVE-2021-34584 CVE-2021-34595 CVE-2021-34583 CVE-2021-34585 CVE-2021-34586 CVE-2021-34596

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3144ba79-581f-4519-9b6e-aca266144064

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.