CODESYS (Edge) Gateway for Windows insecure default

Monitor5.3VDE-2025-013Mar 18, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CODESYS (Edge) Gateway for Windows prior to version 3.5.21.0 is configured by default to accept remote connections without authentication. The Gateway provides the communication interface between CODESYS runtimes and the CODESYS Development System. With remote accessibility enabled by default, an unauthenticated attacker on the network can connect to the Gateway and communicate with connected CODESYS controllers, potentially compromising system configuration and operations. The vulnerability affects CODESYS Edge Gateway and CODESYS Gateway for Windows versions before 3.5.21.0, including instances bundled with CODESYS Development System V3, CODESYS Control Win (SL), CODESYS HMI, and CODESYS OPC DA Server SL.

What this means

What could happen

By default, CODESYS Gateway is remotely accessible over the network without authentication, allowing an attacker to intercept communications between engineering workstations and CODESYS runtimes, potentially compromising the integrity of controller configuration or operations.

Who's at risk

Utilities and industrial facilities using CODESYS development environments and runtime controllers. This includes engineering workstations running CODESYS Development System V3, edge gateways connecting remote PLCs, and facilities using CODESYS Control Win, HMI systems, or OPC DA servers that bundle the affected Gateway software.

How it could be exploited

An attacker on the network can connect directly to the CODESYS Gateway service (TCP port 11740 by default) without credentials. They can then communicate with connected CODESYS runtimes to read or modify controller configurations, download programs, or interfere with runtime operation.

Prerequisites

Network access to CODESYS Gateway service (default port 11740)
No authentication credentials required
CODESYS Gateway exposed to network (not firewalled to localhost only)

remotely exploitableno authentication requiredlow complexitydefault insecure configurationaffects development and control systems

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Edge Gateway <3.5.21.0<3.5.21.03.5.21.0

Gateway for Windows <3.5.21.0<3.5.21.03.5.21.0

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDConfigure LocalAddress in Gateway.cfg to 127.0.0.1 (localhost only) unless remote access is required for engineering workflow

HARDENINGBlock inbound access to CODESYS Gateway port (default 11740) from untrusted networks using firewall rules

HARDENINGIf remote access is required, restrict Gateway.cfg LocalAddress setting to specific engineering workstation IP addresses instead of 0.0.0.0

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Edge Gateway to version 3.5.21.0 or later

HOTFIXUpdate CODESYS Gateway for Windows to version 3.5.21.0 or later

HOTFIXUninstall and reinstall CODESYS Development System V3, CODESYS Control Win (SL), CODESYS HMI, or CODESYS OPC DA Server SL using version 3.5.21.0 to reset firewall rules and ensure secure defaults

CVEs (1)

CVE-2024-41975

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/517bc7f7-c7c8-40c0-84fb-db2848cc77d3