Security News > 2021 > June > 10 Critical Flaws Found in CODESYS Industrial Automation Software

Cybersecurity researchers on Thursday disclosed as many as ten critical vulnerabilities impacting CODESYS automation software that could be exploited to achieve remote code execution on programmable logic controllers.

The Russian cybersecurity firm noted that it detected the vulnerabilities on a PLC offered by WAGO, which, among other automation technology companies such as Beckhoff, Kontron, Moeller, Festo, Mitsubishi, and HollySys, use CODESYS software for programming and configuring the controllers.

Six of the most severe flaws were identified in the CODESYS V2.3 web server component used by CODESYS WebVisu to visualize a human-machine interface in a web browser.

Lastly, a flaw found in the CODESYS Control V2 Linux SysFile library could be used to call additional PLC functions, in turn allowing a bad actor to delete files and disrupt critical processes.

"An attacker with low skills would be able to exploit these vulnerabilities," CODESYS cautioned in its advisory, adding it found no known public exploits that specifically target them.

The disclosure of the CODESYS flaws comes close on the heels of similar issues that were addressed in Siemens SIMATIC S7-1200 and S7-1500 PLCs that could be exploited by attackers to remotely gain access to protected areas of the memory and achieve unrestricted and undetected code execution.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/rD4npLdHEcw/10-critical-flaws-found-in-codesys.html