Back to overview

WAGO: Multiple Vulnerabilities in e!Cockpit and e!Runtime / CODESYS Runtime

VDE-2023-068
Last update
05/21/2024 08:00
Published at
05/21/2024 08:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2023-068
CSAF Document
Download

Summary

The following vulnerabilities are published with reference to CODESYS Advisory 2023-05, CODESYS Advisory 2023-06 and CODESYS Advisory 2023-09

Impact

Please refer to the official CODESYS Advisories:

Advisory2023-05_CDS-85189
Advisory2023-06_CDS-85457
Advisory2023-09_SCRIPT-44

Website at www.codesys.com/security/security-rep...

Affected Product(s)

Model no. Product name Affected versions
750-8001, 750-8000 Basic Controller 100 Firmware <=FW2
751-9401/xxx-xxx, 751-9301/xxx-xxx Compact Controller 100 Firmware <=FW25
752-8303/8000-0002 EC 300 Firmware <=FW25
750-8100/xxx-xxx, 750-8101/xxx-xxx, 750-8102/xxx-xxx PFC 100 Firmware <=FW22 Patch 1
750-8203/xxx-xxx, 750-8206/xxx-xxx, 750-8204/xxx-xxx, 750-8207/xxx-xxx, 750-8202/xxx-xxx PFC 200 G1 Firmware <=FW22 Patch 1
750-8215/xxx-xxx, 750-8217/xxx-xxx, 750-8210/xxx-xxx, 750-8211/xxx-xxx, 750-8212/xxx-xxx, 750-8213/xxx-xxx, 750-8214/xxx-xxx, 750-8216/xxx-xxx PFC 200 G2 Firmware <=FW25
762-4x0x/8000-000x, 762-5x0x/8000-000x, 762-6x0x/8000-000x TP 600 Firmware <=FW25
e!COCKPIT Firmware <=1.11.2.0

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Weakness
Exposure of Resource to Wrong Sphere (CWE-668)
Summary

In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Weakness
Uncontrolled Search Path Element (CWE-427)
Summary

In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users context .

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37549 and CVE-2023-37550

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37550

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37549.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Weakness
Files or Directories Accessible to External Parties (CWE-552)
Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specially crafted network communication requests can utilize the CmpApp component to download files with any file extensions to the controller. In contrast to the regular file download via CmpFileTransfer, no filtering of certain file types is performed here. As a result, the integrity of the CODESYS control runtime system may be compromised by the files loaded onto the controller.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37553, CVE-2023-37554, CVE-2023-37555 and CVE-2023-37556.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37554, CVE-2023-37555 and CVE-2023-37556.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37555 and CVE-2023-37556.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37554 and CVE-2023-37556.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37554 and CVE-2023-37555.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Out-of-bounds Write (CWE-787)
Summary

After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted remote communication requests can cause the CmpAppBP component to overwrite a heap-based buffer, which can lead to a denial-of-service condition.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37559

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37558

References
cve.org | nvd.nist.gov

Mitigation

Depending on the vulnerability there are possible mitigations:

Vulnerability of CODESYS Advisory 2023-05:

  • This vulnerability exists in the CODESYS programming service which is needed for commission only. Deactivate the CODESYS programming port in the web-based management if you do not need the service.

In addition to the mitigation hints CODESYS GmbH recommends the following general defense measures to reduce the risk of exploits:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure they are not accessible from outside.
  • Use firewalls to protect and separate the control system network from other networks.
  • Use VPN (Virtual Private Networks) tunnels if remote access is required.
  • Activate and apply user management and password features.
  • Use encrypted communication links.
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Protect both development and control system by using up to date virus detection solutions.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at www.codesys.com/security/security-rep...

Remediation

Fixed Firmware 3

Product Status
750-8000 available
750-8001 available

Fixed Firmware 26

Compact Controller 100 family

Product Status
751-9301/xxx-xxx available
751-9401/xxx-xxx available

PFC 100 family

Product Status
750-8100/xxx-xxx available
750-8101/xxx-xxx available
750-8102/xxx-xxx available

PFC 200 family

Product Status
750-8202/xxx-xxx available
750-8203/xxx-xxx available
750-8204/xxx-xxx available
750-8206/xxx-xxx available
750-8207/xxx-xxx available
750-8210/xxx-xxx available
750-8211/xxx-xxx available
750-8212/xxx-xxx available
750-8213/xxx-xxx available
750-8214/xxx-xxx available
750-8215/xxx-xxx available
750-8216/xxx-xxx available
750-8217/xxx-xxx available

TP 600 family

Product Status
762-4x0x/8000-000x available
762-5x0x/8000-000x available
762-6x0x/8000-000x available

EC 300 family

Product Status
752-8303/8000-0002 available

Fixed Firmware 22 Patch 2

Compact Controller 100 family

Product Status
751-9301/xxx-xxx planned
751-9401/xxx-xxx planned

PFC 100 family

Product Status
750-8100/xxx-xxx planned
750-8101/xxx-xxx planned
750-8102/xxx-xxx planned

PFC 200 family

Product Status
750-8202/xxx-xxx planned
750-8203/xxx-xxx planned
750-8204/xxx-xxx planned
750-8206/xxx-xxx planned
750-8207/xxx-xxx planned
750-8210/xxx-xxx planned
750-8211/xxx-xxx planned
750-8212/xxx-xxx planned
750-8213/xxx-xxx planned
750-8214/xxx-xxx planned
750-8215/xxx-xxx planned
750-8216/xxx-xxx planned
750-8217/xxx-xxx planned

TP 600 family

Product Status
762-4x0x/8000-000x planned
762-5x0x/8000-000x planned
762-6x0x/8000-000x planned

EC 300 family

Product Status
752-8303/8000-0002 planned

A fixed version of e!COCKPIT is planned.

Revision History

Version Date Summary
1 05/21/2024 08:00 Initial revision.