Researchers at industrial cybersecurity firm Claroty have identified a series of vulnerabilities that have enabled them to demonstrate how malicious actors could abuse cloud-based management platforms when targeting industrial organizations.
Members of Claroty’s Team82 research arm exploited a total of seven vulnerabilities as part of this research, including three affecting CODESYS and four impacting WAGO products. Specifically, the flaws affect CODESYS’s Automation Server platform, which enables organizations to manage industrial control systems (ICS) from the cloud, and some of WAGO’s programmable logic controllers (PLCs).
The researchers showed how an attacker could go from the cloud-based management console to all managed endpoint devices, and also from the endpoint devices to the management console.
The attack scenarios presented by Claroty involve social engineering, exploitation of the WAGO and CODESYS vulnerabilities — these were patched by the vendors in recent months — as well as some other techniques and exploits.
In the first attack, the attacker obtains unauthorized access to the account of a management console operator using stolen credentials or exploits.
In a theoretical scenario described by Claroty, the attacker creates a malicious CODESYS package designed to leak credentials. These packages, which enable users to add new functionality to CODESYS products, are available on a dedicated application store.
If the attacker manages to upload the malicious package to the CODESYS store and they can convince an OT engineer to install the package, they can execute arbitrary code on the targeted Windows device and obtain the Automation Server credentials.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
“Once attackers gain access to the cloud-based management console, they have a wide attack surface to work with,” Claroty researchers explained in a blog post. “The simplest thing attackers can do is modify or even stop the logic currently running on managed PLCs. For example, an attacker could stop a PLC program responsible for temperature regulation of the production line, or change centrifuge speeds as was the case with Stuxnet. These types of attacks could lead to real-life damage and affect production times and availability.”
An attacker could also try to find exploits that enable them to escape the PLC sandbox, which would allow them to gain complete control of the controller.
In the second scenario described by Claroty, the attacker goes from a single compromised PLC to the cloud-based management console, from where they can target other managed endpoints.
The researchers showed how an attacker could hijack a WAGO PLC by exploiting an unauthenticated remote code execution vulnerability they discovered, then use the integrated CODESYS WebVisu feature to add a new user to the management platform, and leverage that account to take over the CODESYS Automation Server instance.
Each of these attacks chains the vulnerabilities found by the researchers in WAGO and CODESYS products.
Claroty has provided some high-level recommendations that industrial organizations should follow to minimize the risk of attacks.
Related: Vulnerabilities in OpENer Stack Expose Industrial Devices to Attacks
Related: WAGO Controller Flaws Can Allow Hackers to Disrupt Industrial Processes
Related: Serious Vulnerabilities Found in CODESYS Software Used by Many ICS Products

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Cisco to Acquire Splunk for $28 Billion
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems
- SASE Firm Cato Networks Raises $238 Million at $3 Billion Valuation
- Clorox Blames Damaging Cyberattack for Product Shortage
- Trend Micro Patches Exploited Zero-Day Vulnerability in Endpoint Security Products
Latest News
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
- Every Network Is Now an OT Network. Can Your Security Keep Up?
- Navigating the Digital Frontier in Cybersecurity Awareness Month 2023
- TransUnion Denies Breach After Hacker Publishes Allegedly Stolen Data
- Legit Security Raises $40 Million in Series B Financing
- Cisco to Acquire Splunk for $28 Billion
- Atlassian Security Updates Patch High-Severity Vulnerabilities
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
