Share: Email | Twitter

ID

VDE-2025-049

Published

2025-08-04 12:00 (CEST)

Last update

2025-08-01 13:53 (CEST)

Vendor(s)

CODESYS GmbH

Product(s)

Article No° Product Name Affected Version(s)
CODESYS Control for BeagleBone SL < 4.16.0.0
CODESYS Control for emPC-A/iMX6 SL < 4.16.0.0
CODESYS Control for IOT2000 SL < 4.16.0.0
CODESYS Control for Linux ARM SL < 4.16.0.0
CODESYS Control for Linux SL < 4.16.0.0
CODESYS Control for PFC100 SL < 4.16.0.0
CODESYS Control for PFC200 SL < 4.16.0.0
CODESYS Control for PLCnext SL < 4.16.0.0
CODESYS Control for Raspberry Pi SL < 4.16.0.0
CODESYS Control for WAGO Touch Panels 600 SL < 4.16.0.0
CODESYS Runtime Toolkit < 3.5.21.20
CODESYS Virtual Control SL < 4.16.0.0

Summary

On certain operating systems (e.g., Linux), default file system permissions may allow read access to the files of the CODESYS Control runtime system for non-administrator users. The documentation provided with the CODESYS Runtime Toolkit does not explicitly address this risk. As a result, products based on the toolkit may unintentionally expose sensitive runtime files to local operating system users with limited privileges.

CODESYS Control runtime system based devices are affected if they provide access to the operating system (e.g., via a local user interface or SSH) and user accounts without administrator rights for this access exist or can be created.


Last Update:

1. August 2025 13:45

Weakness

Incorrect Default Permissions  (CWE-276) 

Summary

CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions.


Impact

The affected products do not explicitly restrict read permissions for other local operating system users, potentially allowing unauthorized access to sensitive runtime files.

Solution

General Recommendation

As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice defense measures:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control system network from other networks
  • Activate and apply user management and password features
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Use encrypted communication links
  • Use VPN (Virtual Private Networks) tunnels if remote access is required
  • Protect both development and control system by using up to date virus detecting solutions

For more information and general recommendations for protecting machines and plants, see also the CODESYS Security Whitepaper here.

Mitigation

If the CODESYS Control runtime system is operated on an operating system with multi-user support, other users may potentially gain access to runtime-related files. Thus, it is essential to configure the storage locations for CODESYS Control runtime files in accordance with the operating system's security best practices. These locations should, by default, restrict access to unauthorized users. If the operating system does not support such access control mechanisms or if implementing them is not feasible, an alternative approach is to explicitly revoke read and write permissions for all non-administrative users on the directories used by the CODESYS Control runtime system.

The following directories must be secured:

  • The directory containing configuration files
  • The directory containing binary files
  • The working directory used by the runtime system

Note: Protecting individual files is not sufficient. The entire directories must be secured to ensure that any files created in the future are also protected.

Alternatively, where applicable, all non-administrative user accounts can be removed from the system, and their re-creation should be prevented. Additionally, it is recommended to disable remote access methods that allow file access (e.g., SSH) wherever possible, in order to reduce the overall attack surface.

Best practice recommendations for Linux and QNX Systems:

  • Create a dedicated privileged group for accessing the above-mentioned directories, and add the user account under which the runtime process is executed to this group.
  • Set the file system permissions for these directories to deny access to "other" users (e.g., chmod o-rx).
  • If access for additional users is required, they can be added to the privileged group as needed.

Remediation

Version 3.5.21.20 of the following product provides an updated CODESYS Control V3 Runtime System Documentation:

  • CODESYS Runtime Toolkit

In particular, Chapter 5 (Architecture Manual), Section 5.4 (Portings), Subsection 5.4.1 (Security Considerations), Subsection 5.4.1.1 (Operating System Folder Permissions) now provides detailed guidance for device manufacturers on how to address the described security vulnerability. The same information is also included as Mitigation in this advisory.

CODESYS GmbH strongly recommends that this guidance be followed in order to effectively close the security vulnerability on affected devices. Devices are particularly at risk if they offer direct access to the operating system (e.g., via a local user interface or SSH) in combination with the presence or possibility of creating non-administrator user accounts for such access.

Important: Updating the toolkit is not sufficient. For affected customer devices based on the CODESYS Runtime Toolkit the vulnerability needs to be resolved following the instructions in the mentioned documentation.

Update the following products to version 4.16.0.0.

  • CODESYS Control for BeagleBone SL
  • CODESYS Control for emPC-A/iMX6 SL
  • CODESYS Control for IOT2000 SL
  • CODESYS Control for Linux ARM SL
  • CODESYS Control for Linux SL
  • CODESYS Control for PFC100 SL
  • CODESYS Control for PFC200 SL
  • CODESYS Control for Raspberry Pi SL
  • CODESYS Control for WAGO Touch Panels 600 SL
  • CODESYS Virtual Control SL

For the updated CODESYS Control SL products, CODESYS GmbH has implemented the necessary measures to address the identified security vulnerability. As a result, access to the runtime directories is now restricted to the Linux user account under which the CODESYS Control runtime is executed. Access is explicitly denied to all other non-administrator users.

Note: Administrator users (e.g., root) may still retain access.

The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.

For the following product no fix is available.

  • CODESYS Control for PLCnext SL

Since there is no fix available for this product, CODESYS GmbH strongly recommends removing all other existing non-administrator users of the operating system and preventing their re-creation in order to neutralize the security vulnerability.

Reported by

CERT@VDE coordinated with CODESYS GmbH.

Luca Borzacchiello from Nozomi Networks for reporting.