Connect with us

Hi, what are you looking for?


Cloud Security

Industrial Firms Warned of Risk Posed by Cloud-Based ICS Management Systems

Researchers at industrial cybersecurity firm Claroty have identified a series of vulnerabilities that have enabled them to demonstrate how malicious actors could abuse cloud-based management platforms when targeting industrial organizations.

Researchers at industrial cybersecurity firm Claroty have identified a series of vulnerabilities that have enabled them to demonstrate how malicious actors could abuse cloud-based management platforms when targeting industrial organizations.

Members of Claroty’s Team82 research arm exploited a total of seven vulnerabilities as part of this research, including three affecting CODESYS and four impacting WAGO products. Specifically, the flaws affect CODESYS’s Automation Server platform, which enables organizations to manage industrial control systems (ICS) from the cloud, and some of WAGO’s programmable logic controllers (PLCs).

The researchers showed how an attacker could go from the cloud-based management console to all managed endpoint devices, and also from the endpoint devices to the management console.

The attack scenarios presented by Claroty involve social engineering, exploitation of the WAGO and CODESYS vulnerabilities — these were patched by the vendors in recent months — as well as some other techniques and exploits.

In the first attack, the attacker obtains unauthorized access to the account of a management console operator using stolen credentials or exploits.

In a theoretical scenario described by Claroty, the attacker creates a malicious CODESYS package designed to leak credentials. These packages, which enable users to add new functionality to CODESYS products, are available on a dedicated application store.

If the attacker manages to upload the malicious package to the CODESYS store and they can convince an OT engineer to install the package, they can execute arbitrary code on the targeted Windows device and obtain the Automation Server credentials.

Advertisement. Scroll to continue reading.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

“Once attackers gain access to the cloud-based management console, they have a wide attack surface to work with,” Claroty researchers explained in a blog post. “The simplest thing attackers can do is modify or even stop the logic currently running on managed PLCs. For example, an attacker could stop a PLC program responsible for temperature regulation of the production line, or change centrifuge speeds as was the case with Stuxnet. These types of attacks could lead to real-life damage and affect production times and availability.”

An attacker could also try to find exploits that enable them to escape the PLC sandbox, which would allow them to gain complete control of the controller.

Using malicious CODESYS packages to compromise cloud-based ICS management interface

In the second scenario described by Claroty, the attacker goes from a single compromised PLC to the cloud-based management console, from where they can target other managed endpoints.

The researchers showed how an attacker could hijack a WAGO PLC by exploiting an unauthenticated remote code execution vulnerability they discovered, then use the integrated CODESYS WebVisu feature to add a new user to the management platform, and leverage that account to take over the CODESYS Automation Server instance.

Using PLC vulnerabilities to compromise cloud-based ICS management interface

Each of these attacks chains the vulnerabilities found by the researchers in WAGO and CODESYS products.

Claroty has provided some high-level recommendations that industrial organizations should follow to minimize the risk of attacks.

Related: Vulnerabilities in OpENer Stack Expose Industrial Devices to Attacks

Related: WAGO Controller Flaws Can Allow Hackers to Disrupt Industrial Processes

Related: Serious Vulnerabilities Found in CODESYS Software Used by Many ICS Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...