0 6 min 3 mths
CODESYS industrial automation software

Cyber ​​security researchers on Wednesday revealed several security vulnerabilities affecting CODESYS automation software and WAGO programmable logic controller (PLC) platform that could be remotely exploited to take control of the operational technology infrastructure ( OT) cloud of a company.

The flaws can be transformed “into innovative attacks that could put threat actors in a position to remotely control a company’s cloud-based OT implementation and threaten any industrial process managed from the cloud”, New York-based industrial safety company Claroty said in a statement. report shared with The Hacker News, adding that they “can be used to target a cloud-based management console from a compromised field device, or take control of a company’s cloud and attack programmable logic controllers and other devices to disrupt operations “.

Stack Overflow Teams

CODESYS is a development environment for programming controller applications, allowing easy configuration of PLCs in industrial control systems. WAGO PFC100 / 200 is a series of PLCs that use the CODESYS platform to program and configure the controllers.

The list of the seven vulnerabilities is listed below –

  • CVE-2021-29238 (CVSS score: 8.0) – Falsification of cross-site requests in CODESYS Automation Server
  • CVE-2021-29240 (CVSS score: 7.8) – Insufficient verification of data authenticity in CODESYS Package Manager
  • CVE-2021-29241 (CVSS score: 7.5) – Zero pointer dereference in CODESYS V3 products containing the CmpGateway component
  • CVE-2021-34569 (CVSS score: 10.0) – WAGO PFC diagnostic tools – Write out of range
  • CVE-2021-34566 (CVSS score: 9.1) – WAGO PFC iocheckd “I / O-Check” service – Shared buffer overflow
  • CVE-2021-34567 (CVSS score: 8.2) – WAGO PFC service iocheckd “I / O-Check” – Reading out of range
  • CVE-2021-34568 (CVSS score: 7.5) – WAGO PFC iocheckd “I / O-Check” service – Unlimited resource allocation

Successful exploitation of vulnerabilities could allow installation of malicious CODESYS packages, cause a denial of service (DoS) condition or lead to elevation of privilege through the execution of malicious JavaScript code, and worse, manipulation or disruption. complete device.


In nature, this could happen in one of two ways: “from the bottom to the top” or “from the top to the bottom”. Twin approaches mimic the paths an adversary is likely to take to control a PLC endpoint in order to potentially compromise the cloud-based management console, or conversely, requisition the cloud in order to manipulate all devices. networked field.

Corporate password management

In a complex “bottom-up” exploitation chain designed by Claroty, a mix of CVE-2021-34566, CVE-2021-34567 and CVE-2021-29238 was exploited to achieve remote code execution on the ‘WAGO PLC, only to gain access to the CODESYS WebVisu man-machine interface and stage a cross-site request forgery (CSRF) attack to take control of the CODESYS automation server instance.


“An attacker who obtains access to a PLC managed by Automation Server Cloud can modify the ‘webvisu.js’ file and add JavaScript code at the end of the file which will send a malicious request to the cloud server on behalf of the logged in user”, explained Claroty’s lead researcher Uri Katz, who discovered and reported the flaws.

“When a cloud user views the WebVisu page, the modified JavaScript code will exploit the absence of a CSRF token and run in the context of the user viewing it; the request will include the CAS cookie. Attackers can do this. use for POST on ‘/ api / db / User’ with a new administrator user, giving them full access to the CODESYS cloud platform, ”Katz added.

On the other hand, another “top-down” attack scenario is to compromise the CODESYS engineering station by deploying a malicious package (CVE-2021-29240) designed to disclose cloud credentials associated with an account. operator and then using it. to alter the programmed logic and obtain unlimited access to all connected PLCs.


“Organizations moving forward with cloud-based management of OT and ICS devices should be aware of the inherent risks and increased threats of attackers eager to target industrial enterprises with extortion-based attacks, including ransomware, and more sophisticated attacks that can cause physical damage, ”Katz said.

The disclosures mark the second critical flaws that have been discovered in CODESYS and WAGO PLCs in as many months. In June, researchers from Positive Technologies revealed ten critical vulnerabilities in software web server and execution system components that could be exploited to obtain remote code execution on PLCs.

The development also comes a week after IoT security firm Armis revealed a critical authentication bypass vulnerability affecting Schneider Electric Modicon PLCs – dubbed “ModiPwn“(CVE-2021-22779) – which could be exploited to allow full control over the API, including overwriting critical memory regions, leaking sensitive memory content, or calling internal functions.

In a related report released earlier in May, Claroty disclosed a memory protection bypass vulnerability in Siemens SIMATIC S7-1200 and S7-1500 controllers (CVE-2020-15782) which could be exploited by a malicious actor to remotely access protected areas of memory and perform unlimited, undetected code execution.

The revelations also coincide with a joint cybersecurity council published by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) documenting a history spear-phishing and intrusion campaign conducted by state-funded Chinese actors from December 2011 to 2013, targeting 23 oil and natural gas pipeline operators (NGOs) in the country.

“The CISA and the FBI believe that these actors specifically targeted US pipeline infrastructure in an attempt to endanger US pipeline infrastructure,” the agencies said. “In addition, the CISA and the FBI believe that this activity was ultimately intended to help China develop cyberattack capabilities against US pipelines to physically damage pipelines or disrupt pipeline operations.”

Leave a Reply

Your email address will not be published. Required fields are marked *