{"id":131328,"date":"2023-08-10T17:00:00","date_gmt":"2023-08-11T00:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=131328"},"modified":"2024-07-03T12:07:26","modified_gmt":"2024-07-03T19:07:26","slug":"multiple-high-severity-vulnerabilities-in-codesys-v3-sdk-could-lead-to-rce-or-dos","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/08\/10\/multiple-high-severity-vulnerabilities-in-codesys-v3-sdk-could-lead-to-rce-or-dos\/","title":{"rendered":"Multiple high severity vulnerabilities in CODESYS V3 SDK could lead to RCE or DoS\u00a0"},"content":{"rendered":"\n
Microsoft\u2019s cyberphysical system researchers recently identified multiple high-severity vulnerabilities in the CODESYS V3 software development kit (SDK), a software development environment widely used to program and engineer programmable logic controllers (PLCs). Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial of service (DoS). The discovery of these vulnerabilities highlights the critical importance of ensuring the security of industrial control systems and underscores the need for continuous monitoring and protection of these environments.<\/p>\n\n\n\n
CODESYS is compatible<\/a> with approximately 1,000 different device types from over 500 manufacturers and several million devices that use the solution to implement the international industrial standard IEC (International Electrotechnical Commission) 611131-3. A DoS attack against a device using a vulnerable version of CODESYS could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information. Exploiting the discovered vulnerabilities, however, requires user authentication, as well as deep knowledge of the proprietary protocol of CODESYS V3 and the structure of the different services that the protocol uses.<\/p>\n\n\n\n Microsoft researchers reported the discovery to CODESYS in September 2022 and worked closely with CODESYS to ensure that the vulnerabilities are patched. Information on the patch released by CODESYS to address these vulnerabilities can be found here: Security update for CODESYS Control V3<\/a>. <\/a>We strongly urge CODESYS users to apply these security updates<\/a> as soon as possible. We also thank CODESYS for their collaboration and recognizing the urgency in addressing these vulnerabilities. <\/p>\n\n\n\n Below is a list of the discovered vulnerabilities discussed in this blog: <\/p>\n\n\n\n