CODESYS: Vulnerability in multiple products through exposure of resource to wrong sphere

Plan PatchCVSS 7.8VDE-2024-027Jun 4, 2024

CODESYSManufacturing

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

All legitimate local Windows users on machines running affected CODESYS products can read or modify files in the working directory, regardless of which user account the software runs under. This allows unauthorized access to control logic, configuration data, and sensitive engineering files. The vulnerability stems from improper file permission isolation between user contexts on Windows. Affected products: CODESYS Control Win, Development System V3, Edge Gateway for Windows, Gateway for Windows, and HMI (all versions before 3.5.20.10).

What this means

What could happen

Any local Windows user on a machine running vulnerable CODESYS software can read or modify program files and configuration data, potentially altering control logic or stealing sensitive engineering information. In a manufacturing environment, this could allow unauthorized changes to process parameters or PLC behavior.

Who's at risk

Manufacturing plants using CODESYS for control logic development and runtime should care: this affects CODESYS Control Win (the runtime for Windows-based PLCs), the Development System (used by control engineers to write and test code), HMI packages, and Gateway products used for remote access. Any facility where engineering staff or maintenance users have local access to these machines is at risk.

How it could be exploited

An attacker with a local user account (no elevation required) can directly access the working directories where CODESYS stores configuration, logic, and runtime data. They can read sensitive files or modify them to alter control behavior. If CODESYS runs under a different user context (e.g., LocalSystem), the attacker may still access shared directories depending on permissions.

Prerequisites

Local user account on the Windows machine where CODESYS software is installed
No special privileges required; standard user permissions are sufficient

No authentication required (local user access sufficient)Low complexity exploitationAffects safety-critical control logicDefault Windows user accounts can exploit

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

CODESYS Control Win<3.5.20.103.5.20.10

CODESYS Development System V3<3.5.20.103.5.20.10

CODESYS Edge Gateway for Windows<3.5.20.103.5.20.10

CODESYS Gateway for Windows<3.5.20.103.5.20.10

CODESYS HMI<3.5.20.103.5.20.10

Remediation & Mitigation

0/7

Do now

0/1

HARDENINGRestrict user accounts on machines running CODESYS to only those who need direct access for engineering or maintenance tasks

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

CODESYS Control Win

HOTFIXUpdate CODESYS Control Win to version 3.5.20.10 or later

CODESYS Development System V3

HOTFIXUpdate CODESYS Development System V3 to version 3.5.20.10 or later

CODESYS Edge Gateway for Windows

HOTFIXUpdate CODESYS Edge Gateway for Windows to version 3.5.20.10 or later

CODESYS Gateway for Windows

HOTFIXUpdate CODESYS Gateway for Windows to version 3.5.20.10 or later

CODESYS HMI

HOTFIXUpdate CODESYS HMI to version 3.5.20.10 or later

Long-term hardening

0/1

HARDENINGPlace CODESYS engineering workstations on a segmented network separate from production control networks to limit lateral movement from compromised user accounts

CVEs (1)

CVE-2023-5751

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/558f339c-ddb7-4fb4-8372-f83f917e3670

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.