CODESYS: Missing integrity check in CODESYS Development System

VDE-2023-022

Last update

08/03/2023 12:52

Published at

08/03/2023 12:52

Vendor(s)

CODESYS GmbH

External ID

VDE-2023-022

CSAF Document

Download

Summary

The Notification Center of the CODESYS Development System receives messages without ensuring that the message was not modified during transmission. This finally enables MITMs code execution when the user clicks the "Learn More" button.

Impact

Affected Product(s)

Model no.	Product name	Affected versions
	CODESYS Development System 3.5.11.0<3.5.19.20	CODESYS Development System 3.5.11.0<3.5.19.20

Vulnerabilities

Expand / Collapse all

Published

09/22/2025 14:58

Severity

8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weakness

Improper Verification of Source of a Communication Channel (CWE-940)

Summary

In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server.

References

cve.org | nvd.nist.gov

Remediation

Update the CODESYS Development System to version 3.5.19.20.
The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.
Alternatively, you will find further information on obtaining the software update in the CODESYS Update area

Revision History

Version	Date	Summary
1	08/03/2023 12:52	Initial revision.

CODESYS: Missing integrity check in CODESYS Development System

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2023-3663 8.8

Remediation

Revision History