CODESYS (Edge) Gateway for Windows insecure default

MonitorCVSS 5.3VDE-2025-013Mar 18, 2025

CODESYS

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The CODESYS Gateway (Edge and Windows versions) is accessible remotely by default in versions before 3.5.21.0, even though it is intended for local access by the CODESYS Development System. An unauthenticated attacker on the network can connect to the Gateway and access process data and system configuration information. Starting with version 3.5.21.0, the Gateway is configured to listen only on localhost (127.0.0.1) by default, denying remote access unless explicitly enabled by the operator. Remote access can be selectively enabled for specific IP addresses by modifying the LocalAddress configuration parameter.

What this means

What could happen

An attacker on the network can connect to the CODESYS Gateway without authentication and gain unauthorized visibility into process data or engineering configurations. This could allow information disclosure about your control logic, setpoints, and system design.

Who's at risk

This vulnerability affects CODESYS development and runtime installations used in industrial automation environments. Organizations running CODESYS Development System V3, CODESYS Control Win, CODESYS HMI, or CODESYS OPC DA Server should verify their installed versions. The impact is primarily on sites using CODESYS for PLC programming, HMI development, or OPC data servers.

How it could be exploited

An attacker discovers the CODESYS Gateway listening on its default port from the network, connects without credentials, and retrieves information about the CODESYS runtime and connected control systems. No authentication is required and the connection is initiated remotely over TCP/IP.

Prerequisites

Network access to the CODESYS Gateway default port (502 or 11740)
Gateway running version before 3.5.21.0 without custom firewall restrictions
No firewall rule blocking remote access to the Gateway

Remotely exploitableNo authentication requiredLow complexity attackInsecure default configurationAffects engineering visibility and system configuration

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Edge Gateway <3.5.21.0<3.5.21.03.5.21.0

Gateway for Windows <3.5.21.0<3.5.21.03.5.21.0

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to the CODESYS Gateway port using host firewall rules to allow connections only from trusted engineering workstations

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Edge Gateway for Windows to version 3.5.21.0 or later

HOTFIXUpdate CODESYS Gateway for Windows to version 3.5.21.0 or later

HOTFIXIf running CODESYS Development System V3, CODESYS Control Win (SL), CODESYS HMI, or CODESYS OPC DA Server SL, uninstall and reinstall them to version 3.5.21.0 or later to reset all firewall rules

HARDENINGIf remote access is required, modify the LocalAddress setting in Gateway.cfg to restrict connections to specific authorized IP addresses instead of 0.0.0.0

HARDENINGVerify and document which CODESYS products are installed in your environment and confirm all are updated to 3.5.21.0 or later

CVEs (1)

CVE-2024-41975

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/517bc7f7-c7c8-40c0-84fb-db2848cc77d3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.