Back to overview

WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 and WebVisualisation

VDE-2021-056
Last update
05/22/2025 15:03
Published at
11/16/2021 15:11
Vendor(s)
Phoenix Contact GmbH & Co. KG
External ID
VDE-2021-056
CSAF Document
Download

Summary

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLCs. All vulnerable PLCs are listed in chapter 'Affected Products'.
www.codesys.com/security/security-rep...

Impact

A successful attack stops all network communication. To restore the network connectivity the device needs to be restarted. The automation task is not affected.

Affected Product(s)

Model no. Product name Affected versions
750-8202/xxx-xxx Firmware <=03.07.14 (19)
750-8203/xxx-xxx Firmware <=03.07.14 (19)
750-8204/xxx-xxx Firmware <=03.07.14 (19)
750-8206/xxx-xxx Firmware <=03.07.14 (19)
750-8207/xxx-xxx Firmware <=03.07.14 (19)
750-8208/xxx-xxx Firmware <=03.07.14 (19)
750-8210/xxx-xxx Firmware <=03.07.14 (19)
750-8211/xxx-xxx Firmware <=03.07.14 (19)
750-8212/xxx-xxx Firmware <=03.07.14 (19)
750-8213/xxx-xxx Firmware <=03.07.14 (19)
750-8214/xxx-xxx Firmware <=03.07.14 (19)
750-8216/xxx-xxx Firmware <=03.07.14 (19)
750-8217/xxx-xxx Firmware <=03.07.14 (19)
750-823 Firmware <=FW09
750-829 Firmware <=FW16
750-831/000-00x Firmware <=FW14
750-832/000-00x Firmware <=FW09
750-852 Firmware <=FW16
750-862 Firmware <=FW09
750-880/0xx-xxx Firmware <=FW16
750-881 Firmware <=FW16
750-882 Firmware <=FW16
750-885/0xx-xxx Firmware <=FW16
750-889 Firmware <=FW16
750-890/0xx-xxx Firmware <=FW09
750-891 Firmware <=FW09
750-893 Firmware <=FW09

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Weakness
Buffer Over-read (CWE-126)
Summary

Crafted web server requests can be utilised to read partial stack or heap memory or may trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary

A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition or local memory overwrite.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness
NULL Pointer Dereference (CWE-476)
Summary

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests may cause a Null pointer dereference in the CODESYS web server and may result in a denial-of-service condition.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness
Unchecked Return Value (CWE-252)
Summary

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests can trigger a parser error. Since the parser result is not checked under all conditions, a pointer dereference with an invalid address can occur. This leads to a denial of service situation.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

Crafted web server requests may cause a heap-based buffer overflow and could therefore trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Access of Uninitialized Pointer (CWE-824)
Summary

A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.

References
cve.org | nvd.nist.gov

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Do not allow direct access to the device from untrusted networks.
  3. Update to the latest firmware according to the table in chapter solutions.
  4. Disable the CODESYS 2.3 WebVisualisation and CODESYS 2.3 port 2455.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at www.codesys.com/security/security-rep...

Remediation

UPDATE A: fixed Firmware versions for 750-890/0xx-xxx, 750-891 and 750-893 We recommend all effected users with CODESYS 2.3 Runtime PLCs to update to the firmware version listed below.

Series Ethernet Controller

Article Number Fixed Firmware Versions Available
750-823 >=FW10 January 2022
750-829 >=FW17 After BACnet certification
750-831/000-00x >=FW17 After BACnet certification
750-832/000-00x >=FW10 After BACnet certification
750-852 >=FW17 Q1 2022
750-862 >=FW10 January 2022
750-880/0xx-xxx >=FW17 Q1 2022
750-881 >=FW17 Q1 2022
750-882 >=FW17 Q1 2022
750-885/0xx-xxx >=FW17 Q1 2022
750-889 >=FW17 Q1 2022
750-890/0xx-xxx >=FW10 January 2022
750-891 >=FW10 January 2022
750-893 >=FW10 January 2022

PFC200 Controller

Article Number Affected Firmware Versions Approx. Available
750-8202/xxx-xxx >=FW20 January 2022
750-8203/xxx-xxx >=FW20 January 2022
750-8204/xxx-xxx >=FW20 January 2022
750-8206/xxx-xxx >=FW20 January 2022
750-8207/xxx-xxx >=FW20 January 2022
750-8208/xxx-xxx >=FW20 January 2022
750-8210/xxx-xxx >=FW20 January 2022
750-8211/xxx-xxx >=FW20 January 2022
750-8212/xxx-xxx >=FW20 January 2022
750-8213/xxx-xxx >=FW20 January 2022
750-8214/xxx-xxx >=FW20 January 2022
750-8216/xxx-xxx >=FW20 January 2022
750-8217/xxx-xxx >=FW20 January 2022

Revision History

Version Date Summary
1 11/16/2021 15:11 Initial revision.
2 11/24/2024 09:48 UPDATE A: fixed Firmware versions for 750-890/0xx-xxx, 750-891 and 750-893
3 05/22/2025 15:03 Fix: added distribution, quotation mark