Get in Touch
Programmable logic controllers (PLCs) utilised in industrial environments are now vulnerable to 15 CODESYS V3 software development kit vulnerabilities in the CODESYS V3, leading to potential remote code execution (RCE) and denial of service (DoS) attacks. The vulnerabilities have been listed below and have been classified with a range of CVSSv3 scores within the high severity level (CVSS v3: 7.5 – 8.8):
Although successful exploitation requires authentication, this condition can be bypassed by exploiting CVE-2019-9013.
Successful exploitation of the vulnerabilities listed above can allow threat actors to perform RCE and DoS attacks, thus leading to the compromise of the integrity and availability of data.
CODESYS has released security upgrades regarding these vulnerabilities. As such, previous versions are vulnerable to potential exploitation.
The following products have been affected, provided that they operate versions prior to 184.108.40.206:
CODESYS Control RTE (SL)
CODESYS Control RTE (for Beckhoff CX) SL
CODESYS Control Win (SL)
CODESYS Control Runtime System Toolkit
CODESYS Safety SIL2 Runtime Toolkit
CODESYS Safety SIL2 PSP
CODESYS HMI (SL)
CODESYS Development System V3
CODESYS Development System V3 simulation runtime.
Additionally, the following products are affected, provided that they operate versions prior to 220.127.116.11:
CODESYS Control for BeagleBone SL
CODESYS Control for emPC-A/iMX6 SL
CODESYS Control for IOT2000 SL
CODESYS Control for Linux SL
CODESYS Control for PFC100 SL
CODESYS Control for PFC200 SL
CODESYS Control for PLCnext SL
CODESYS Control for Raspberry Pi SL
CODESYS Control for WAGO Touch Panels 600 SL.
Containment, Mitigations & Remediations
It is strongly recommended that administrators apply the upgrade to CODESYS V3 v18.104.22.168 as soon as possible. Microsoft also recommends that PLCs are to be disconnected from the internet.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
CODESYS occupies a significant portion of the integrated development environment market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, these products could emerge as a prime target. Due to the fact that CODESYS products have become an integral aspect of Industrial Control Systems (ICS) operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.
No attribution to specific threat actors or groups has been identified at the time of writing.
ICS Lateral Movement Technique:
T0866 – Exploitation of Remote Services