Back to overview

Wago: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro (UPDATE B)

VDE-2023-042
Last update
11/20/2024 12:00
Published at
09/25/2023 12:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2023-042
CSAF Document
Download

Summary

Critical vulnerability has been discovered in the utilized component PROFINET IO Device by Hilscher Gesellschaft für Systemautomation mbH.
The impact of the vulnerability on the affected device is that it can

no longer perform acyclic requests
may drop all established cyclic connections may
disappear completely from the network
For more information see advisory by Hilscher:

kb.hilscher.com/display/ISMS/2020-12-...

Update 20.11.2024: Products have been added

Impact

WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the CODESYS Store, the e!COCKPIT and engineering software is bundled with a WIBU-SYSTEMS Codemeter installation.

Affected Product(s)

Model no. Product name Affected versions
WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.45<=2.3.9.70 WAGO-I/O-Pro (CODESYS 2.3) engineering software installation 2.3.9.45<=2.3.9.70
e!COCKPIT engineering software installation bundle <=1.11.2.0 e!COCKPIT engineering software installation bundle <=1.11.2.0

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Out-of-bounds Write (CWE-787)
Summary

A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

References
cve.org | nvd.nist.gov

Mitigation

Use general security best practices to protect systems from local and network attacks.

For further details on risk mitigation and impact of this vulnerability, please refer to the official WIBU-SYSTEMS Product Security Advisory WIBU-230704-01 at Website www.wibu.com/support/security-advisor....

Remediation

Until an update is available for e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) we strongly encourage users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version. (https://www.wibu.com/support/user/user-software.html).

Revision History

Version Date Summary
1 09/25/2023 12:00 Initial revision.
2 11/20/2024 12:00 Update A