Back to overview

WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro

VDE-2022-002
Last update
05/22/2025 15:03
Published at
01/31/2022 14:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2022-002
CSAF Document
Download

Summary

A vulnerability is reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles are affected with vulnerable versions of WIBU-SYSTEMS Codemeter.

Impact

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the CODESYS Group CODESYS store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.

Affected Product(s)

Model no. Product name Affected versions
WAGO e!COCKPIT engineering software installation bundle <V1.11 WAGO e!COCKPIT engineering software installation bundle <V1.11
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.46 WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.46
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.47 WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.47
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.49 WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.49
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.53 WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.53
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.55 WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.55
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.61 WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.61
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.66 WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.66

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Weakness
Improper Link Resolution Before File Access ('Link Following') (CWE-59)
Summary

In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.

References
cve.org | nvd.nist.gov

Mitigation

  • Use general security best practices to protect systems from local and network attacks.
  • Disable the container type 'Mass Storage' in CodeMeter via the Windows Registry.

Remediation

We strongly encourage e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.

WAGO will provide updated e!COCKPIT setup routines (Version 1.11) with the latest WIBU- SYSTEMS Codemeter version in Q2/2022.

Additionally WAGO will provide a security patch for e!COCKPIT Version 1.10 in February 2022.
WAGO will provide updated WAGO-I/O-Pro (CODESYS 2.3) (Version 2.3.9.68) setup routines with the latest WIBU-SYSTEMS Codemeter version in Q1/2022.

For further details on risk mitigation and impact of this vulnerability, please refer to the official WIBU-SYSTEMS Advisory WIBU-210910-01 at Website www.wibu.com/support/security-advisor... external link.

Further details on the corresponding CVEs can be obtained here:
cdn.wibu.com/fileadmin/wibu_downloads... external link

Revision History

Version Date Summary
1 01/31/2022 14:00 Initial revision.
2 05/22/2025 15:03 Fix: quotation mark