CODESYS: Vulnerability in multiple products through exposure of resource to wrong sphere
Plan Patch7.8VDE-2024-027Jun 4, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
All legitimate local Windows users on machines running affected CODESYS products can read or modify files in the working directory, regardless of which user account the software runs under. This allows unauthorized access to control logic, configuration data, and sensitive engineering files. The vulnerability stems from improper file permission isolation between user contexts on Windows. Affected products: CODESYS Control Win, Development System V3, Edge Gateway for Windows, Gateway for Windows, and HMI (all versions before 3.5.20.10).
What this means
What could happen
Any local Windows user on a machine running vulnerable CODESYS software can read or modify program files and configuration data, potentially altering control logic or stealing sensitive engineering information. In a manufacturing environment, this could allow unauthorized changes to process parameters or PLC behavior.
Who's at risk
Manufacturing plants using CODESYS for control logic development and runtime should care: this affects CODESYS Control Win (the runtime for Windows-based PLCs), the Development System (used by control engineers to write and test code), HMI packages, and Gateway products used for remote access. Any facility where engineering staff or maintenance users have local access to these machines is at risk.
How it could be exploited
An attacker with a local user account (no elevation required) can directly access the working directories where CODESYS stores configuration, logic, and runtime data. They can read sensitive files or modify them to alter control behavior. If CODESYS runs under a different user context (e.g., LocalSystem), the attacker may still access shared directories depending on permissions.
Prerequisites
- Local user account on the Windows machine where CODESYS software is installed
- No special privileges required; standard user permissions are sufficient
No authentication required (local user access sufficient)Low complexity exploitationAffects safety-critical control logicDefault Windows user accounts can exploit
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
CODESYS Control Win<3.5.20.103.5.20.10
CODESYS Development System V3<3.5.20.103.5.20.10
CODESYS Edge Gateway for Windows<3.5.20.103.5.20.10
CODESYS Gateway for Windows<3.5.20.103.5.20.10
CODESYS HMI<3.5.20.103.5.20.10
Remediation & Mitigation
0/7
Do now
0/1HARDENINGRestrict user accounts on machines running CODESYS to only those who need direct access for engineering or maintenance tasks
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
CODESYS Control Win
HOTFIXUpdate CODESYS Control Win to version 3.5.20.10 or later
CODESYS Development System V3
HOTFIXUpdate CODESYS Development System V3 to version 3.5.20.10 or later
CODESYS Edge Gateway for Windows
HOTFIXUpdate CODESYS Edge Gateway for Windows to version 3.5.20.10 or later
CODESYS Gateway for Windows
HOTFIXUpdate CODESYS Gateway for Windows to version 3.5.20.10 or later
CODESYS HMI
HOTFIXUpdate CODESYS HMI to version 3.5.20.10 or later
Long-term hardening
0/1HARDENINGPlace CODESYS engineering workstations on a segmented network separate from production control networks to limit lateral movement from compromised user accounts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/558f339c-ddb7-4fb4-8372-f83f917e3670