CODESYS Key physical side-channel vulnerability

MonitorCVSS 4.9VDE-2025-001Jan 21, 2025

CODESYS

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The CODESYS Key series 3 USB dongle (firmware versions before 4.52) is vulnerable to physical side-channel attacks. Using specialized equipment to measure power consumption, timing, or other physical characteristics, an attacker with direct physical access to the dongle could potentially extract cryptographic key material. The vulnerability is mitigated by restricting physical access to the dongle and has been corrected in firmware version 4.52.

What this means

What could happen

An attacker with physical access to a CODESYS Key USB dongle could extract sensitive cryptographic information through side-channel analysis, potentially compromising license protection and software integrity controls. This is a low-probability risk limited to environments where the dongle is accessible to untrusted personnel.

Who's at risk

Engineering teams and control system integrators who use CODESYS with CODESYS Key hardware license dongles. This applies to any facility using CODESYS for PLC programming and runtime—particularly water treatment, electric utilities, and other critical infrastructure running software-based controls that rely on the dongle for license enforcement and secure boot.

How it could be exploited

An attacker must physically possess or have direct physical access to a CODESYS Key dongle connected to a system running CODESYS software. Using specialized equipment to measure physical signals (such as power consumption or timing), the attacker could derive cryptographic key material stored on the dongle. This would require sustained physical access and specialized laboratory equipment, making it impractical in typical industrial deployments.

Prerequisites

Physical access to the CODESYS Key USB dongle
Specialized equipment to perform side-channel measurements (power analysis, timing analysis, or similar)
CODESYS Key firmware version 4.52 or earlier

physical side-channel vulnerability requires direct physical accesslow attack probability (0.3% EPSS)no authentication required once attacker has physical possessionaffects license and software integrity controls

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Key series 3<4.524.52

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict physical access to CODESYS Key dongles; store in locked enclosures when not in use and limit access to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Key firmware to version 4.52 or later via CodeMeter Control Center

Long-term hardening

0/1

HARDENINGRemove CODESYS Key from systems when not in active use, especially in multi-user or unsecured environments

CVEs (1)

CVE-2024-45678

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/44a7b2ba-21b8-4ce8-b7ba-ad905d364bbb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.