WAGO: Controller with CODESYS 2.3 Runtime Denial-of-Service

MonitorCVSS 4.9VDE-2023-006Jun 25, 2023

CODESYSWAGO

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in WAGO Ethernet Controllers (3rd and 4th generation) and PFC200 controllers running CODESYS 2.3 runtime. An authenticated attacker can send a malformed packet to the CODESYS V2 runtime communication port, triggering improper handling of the packet that crashes the device and halts the PLC runtime. The vulnerability requires valid engineering credentials and network access to the controller's CODESYS communication interface. WAGO has released firmware updates to address this issue across all affected product lines.

What this means

What could happen

An authenticated attacker can crash WAGO controllers running CODESYS 2.3 runtime by sending a malformed packet, causing the PLC to stop responding and interrupting any automated processes it controls.

Who's at risk

Organizations operating WAGO Ethernet Controllers (3rd and 4th generation models 750-series) and PFC200 programmable controllers that run CODESYS 2.3 runtime, particularly in water systems, building automation, or distributed I/O applications. Any facility using these PLCs for critical automated processes is at risk of unplanned downtime.

How it could be exploited

An attacker with network access to the CODESYS V2 runtime communication port (default port 502 or configured port) and valid credentials can send a specially crafted packet to the PLC's packet parsing function. This causes an unhandled exception that crashes the runtime, dropping all connections and halting any control logic execution.

Prerequisites

Network access to the PLC's CODESYS 2 runtime communication port
Valid PLC engineering credentials or access to a programming workstation
CODESYS 2 runtime enabled on the device
Device running affected firmware version

Remotely exploitableRequires authenticationLow complexity attackAffects availability / causes denial of serviceVendor patches availableAffects industrial automation and control systems

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (17)

17 with fix

ProductAffected VersionsFix Status

Ethernet Controller 3rd Generation 750-331≤ FW14FW17 (after BACnet certification)

Ethernet Controller 3rd Generation 750-829≤ FW14FW17 (after BACnet certification)

Ethernet Controller 3rd Generation 750-831/xxx-xxx≤ FW14FW17 (after BACnet certification)

Ethernet Controller 3rd Generation 750-852≤ FW16FW17

Ethernet Controller 3rd Generation 750-880/xxx-xxx≤ FW16FW17

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable the CODESYS 2 runtime communication port if the PLC runtime is not actively needed via Configuration > PLC Runtime Services > CODESYS 2 > communication enabled in the web management interface

HARDENINGRestrict network access to the PLC and CODESYS communication ports to only authorized engineering workstations and programming networks using firewall rules

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

PFC200

HOTFIXUpdate WAGO PFC200 family controllers to firmware version FW22 Patch 2 or later

All products

HOTFIXUpdate WAGO Ethernet Controller 3rd Generation (750-331, 750-829, 750-831, 750-852, 750-880, 750-881, 750-882, 750-885, 750-889) to firmware version FW17

HOTFIXUpdate WAGO Ethernet Controller 4th Generation (750-823, 750-332, 750-832, 750-862, 750-890, 750-891, 750-893) to firmware version FW11

Long-term hardening

0/1

HARDENINGIsolate industrial control systems from direct Internet access and untrusted networks; apply defense-in-depth network segmentation

CVEs (2)

CVE-2023-1619 CVE-2023-1620

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2f210910-cd75-4f8e-97f2-0698bc0d691e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.