Summary
All legitimate local Microsoft Windows users can read or modify files that are located in the working directory of the affected CODESYS products, even if they are executed under a different user or in the system context.
Impact
The CODESYS Development System is an IEC 61131-3 programming tool for the industrial controller and automation technology sector. The integrated runtime for simulating CODESYS projects as well as CODESYS Control Win V3, CODESYS HMI and the CODESYS (Edge) Gateway running under the Microsoft Windows operating system have their working directory under %ProgramData%\CODESYS\ by default. All legitimate local Microsoft Windows users can read or modify files in this working directory, even if the affected products are running under a different user or in the system context.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| CODESYS Control Win | Firmware <3.5.20.10 | |
| CODESYS Development System V3 | Firmware <3.5.20.10 | |
| CODESYS Edge Gateway for Windows | Firmware <3.5.20.10 | |
| CODESYS Gateway for Windows | Firmware <3.5.20.10 | |
| CODESYS HMI | Firmware <3.5.20.10 |
Vulnerabilities
Expand / Collapse allA local attacker with low privileges can read and modify any users files and cause a DoS in the working directory of the affected products due to exposure of resource to wrong sphere.
Mitigation
Only create required user accounts on the Microsoft Windows systems on which the affected software is installed. Users who do not need to use the affected software should not have access to these systems.
Remediation
Update the following products to version 3.5.20.10.
CODESYS Control Win (SL)
CODESYS Edge Gateway for Windows
CODESYS Gateway for Windows
CODESYS HMI (SL)
CODESYS Development System V3
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS download area.
The working directories of the affected products are moved to "%APPDATA%\CODESYS\", which is usually located in C:\Users\
If the PLC is started with the "CODESYS Control Win SysTray PLC Control", it runs in the Windows user account "LocalSystem" and therefore the effective working directory is "C:\Windows\system32\config\systemprofile\AppData\Roaming\CODESYS\" or C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CODESYS. An administrator account is required to access these folders.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 06/04/2024 08:00 | initial revision |
| 2 | 04/11/2025 09:00 | FIx: version range |
| 3 | 05/14/2025 15:00 | Fix: added distribution |