Multiple Critical Vulnerabilities Reported in CODESYS V3 SDK

Web Servers
Advisory ID:
CVE-2019-9013; CVE-2022-47379; CVE-2022-47380; CVE-2022-47381; CVE-2022-47382; CVE-2022-47383; CVE-2022-47384; CVE-2022-47385; CVE-2022-47386; CVE-2022-47387; CVE-2022-47388; CVE-2022-47389; CVE-2022-47390; CVE-2022-47391; CVE-2022-47392; CVE-2022-47393
August 16, 2023


Multiple high-severity vulnerabilities in the CODESYS V3 software development kit (SDK) were recently discovered by Microsoft's cyberphysical system experts. The researchers were able to trigger a buffer overflow in a variety of industrial control system devices, revealing a number of vulnerabilities in the process. These flaws could result in a denial of service (DoS) or remote code execution (RCE) attacks.

Description & Consequence

The CODESYS V3 software development kit (SDK) is a software development environment used industry-wide to program programmable logic controllers (PLCs) that aids manufacturers to implement IEC 61131-3, which is a vendor independent international standard for programmable controller programming language for industrial automation. To be able to conduct this attack, researchers had to bypass user authentication, which was done by exploiting CVE-2019-9013. This allows for the use of a “replay attack against the PLC using the unsecured username and password’s hash that were sent during the sign-in process, allowing bypass of user authentication process.” They then had to create a new channel for the attack before signing in  to the device with the stolen credentials. A malicious packet that triggers buffer overflow is then inserted to exploit the vulnerabilities and gain full control of the device. The complete exploit steps are summarized as follows:

  1. Steal credentials with CVE-2019-9013.
  2. Create a new channel for the attack.
  3. Sign-in to the device with the stolen credentials.
  4. Exploit the vulnerabilities with a malicious packet that triggers buffer overflow.
  5. Gain full control of the device.

Exploitation of any of the vulnerabilities could lead to either a Denial of Service (DoS) attack or remote code execution (RCE) attack. As these vulnerabilities affect the security of Industrial control systems that are used in critical infrastructure such as power, this could lead to major disruptions and outages. Also, it can allow attackers to create backdoors that can be used to cause mayhem or exfiltrate critical information.


Countermeasures to put into place include:

  1. Patch any network devices that are affected. Update the device firmware to version or higher after checking with the device manufacturers for any available fixes.
  2. Regardless of whether they run CODESYS, make sure that all crucial hardware—PLCs, routers, PCs, etc.—is segmented and separated from the internet.
  3. Only authorised components should be allowed access to CODESYS devices.
  4. If prioritizing patching is challenging due to the nature of CVEs, which still call for a login and password, reduce risk by ensuring effective segmentation, requiring unique usernames and passwords, and minimizing the number of users who have writing authentication.




Related Articles