ICS/OT

Microsoft Discloses Codesys Flaws Allowing Shutdown of Industrial Operations, Spying

Over a dozen Codesys vulnerabilities discovered by Microsoft researchers can be exploited to shut down industrial processes or deploy backdoors.

Over a dozen Codesys vulnerabilities discovered by Microsoft researchers can be exploited to shut down industrial processes or deploy backdoors.

Over a dozen vulnerabilities discovered by Microsoft researchers in Codesys products can be exploited to cause disruption to industrial processes or deploy backdoors that allow the theft of sensitive information.

Germany-based Codesys makes automation software for engineering control systems. Its products are used by some of the world’s largest industrial control system (ICS) manufacturers, the vendor claiming that its software is found in millions of devices — roughly 1,000 different types of products made by over 500 manufacturers.

Microsoft researchers specializing in the security of cyberphysical systems have discovered a total of 16 vulnerabilities in Codesys Control V3 versions prior to 3.5.19.0. The security holes were reported to Codesys in September 2022 and patches were announced in April 2023. 

All of the vulnerabilities have been assigned a ‘high severity’ rating. They can be exploited for denial-of-service (DoS) attacks or for remote code execution (RCE).

Threat actors could exploit them to target programmable logic controllers (PLCs) and other ICS devices using Codesys software. Microsoft’s research focused on PLCs made by Schneider Electric and Wago. 

While exploitation of the vulnerabilities requires authentication, the researchers showed how hackers could exploit older Codesys flaws, such as CVE-2019-9013, to achieve this. 

“While exploiting the discovered vulnerabilities requires deep knowledge of the proprietary protocol of Codesys V3 as well as user authentication (and additional permissions are required for an account to have control of the PLC), a successful attack has the potential to inflict great damage on targets,” Microsoft explained. 

It added, “Threat actors could launch a DoS attack against a device using a vulnerable version of Codesys to shut down industrial operations or exploit the RCE vulnerabilities to deploy a backdoor to steal sensitive data, tamper with operations, or force a PLC to operate in a dangerous way.”

Advertisement. Scroll to continue reading.

Microsoft has published a lengthy blog post describing the vulnerabilities and how they can be exploited. The tech giant has also made available an open source tool designed to help users identify affected devices.

Codesys also has an advisory describing the flaws (direct download link). 

The Codesys vulnerabilities were summarized in a session at the Black Hat cybersecurity conference this week by Microsoft researcher Vladimir Tokarev. 

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

October 23-26, 2023 | Atlanta
www.icscybersecurityconference.com

Related: Codesys Patches 11 Flaws Likely Affecting Controllers From Several ICS Vendors

Related: Serious Vulnerabilities Found in CODESYS Software Used by Many ICS Products

Related: OT:Icefall Continues With Vulnerabilities in Festo, Codesys Products

Related Content

Vulnerabilities

The exploitation of a recent SonicWall vulnerability has started shortly after proof-of-concept (PoC) code was published.

Vulnerabilities

Palo Alto Networks has published 10 new security advisories, including one for a high-severity firewall authentication bypass vulnerability.

Vulnerabilities

Threat actors are increasingly exploiting two old vulnerabilities in ThinkPHP and OwnCloud in their attacks.

Vulnerabilities

Google has released a Chrome 133 update to address four high-severity vulnerabilities reported by external researchers.

Nation-State

A subgroup of the Russia-linked Seashell Blizzard is tasked with broad initial access operations to sustain long-term persistence.

Vulnerabilities

Ivanti and Fortinet on Tuesday released patches for multiple critical- and high-severity vulnerabilities in their products.

ICS/OT

Industrial giants Schneider Electric and Siemens have released February 2025 Patch Tuesday ICS security advisories.

Malware & Threats

The Microsoft Patch Tuesday machine hummed loudly this month with urgent fixes for a pair of already-exploited Windows zero-days.

Copyright © 2025 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version