Security News > 2023 > August > Industrial PLCs worldwide impacted by CODESYS V3 RCE flaws
Millions of PLC used in industrial environments worldwide are at risk to 15 vulnerabilities in the CODESYS V3 software development kit, allowing remote code execution and denial of service attacks.
Over 500 device manufacturers use the CODESYS V3 SDK for programming on more than 1,000 PLC models according to the IEC 61131-3 standard, allowing users to develop custom automation sequences.
The fifteen flaws in the CODESYS V3 SDK were discovered by Microsoft researchers, who reported them to CODESYS in September 2022.
Microsoft examined two PLCs from Schnieder Electric and WAGO that use CODESYS V3 and discovered 15 high-severity vulnerabilities.
Although the flaws require authentication to exploit, Microsoft says this requirement can be bypassed by using CVE-2019-9013, another flaw impacting CODESYS V3 that exposes user credentials during transport in cleartext form, as demonstrated below.
Admins are advised to upgrade to CODESYS V3 v3.5.19.0 as soon as possible, while Microsoft also recommends disconnecting PLCs and other critical industrial devices from the internet.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-08-15 | CVE-2019-9013 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Codesys products An issue was discovered in 3S-Smart CODESYS V3 products. | 8.8 |