WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3

VDE-2021-014

Last update

22.05.2025 15:03

Published at

20.05.2021 11:08

Vendor(s)

WAGO GmbH & Co. KG

External ID

VDE-2021-014

CSAF Document

Download

Summary

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC's.

Impact

The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the CODESYS 2.3 Runtime.

Affected Product(s)

Model no.	Product name	Affected versions
	750-8202/xxx-xxx	Firmware <03.06.19 (18)
	750-8203/xxx-xxx	Firmware <03.06.19 (18)
	750-8204/xxx-xxx	Firmware <03.06.19 (18)
	750-8206/xxx-xxx	Firmware <03.06.19 (18)
	750-8207/xxx-xxx	Firmware <03.06.19 (18)
	750-8208/xxx-xxx	Firmware <03.06.19 (18)
	750-8210/xxx-xxx	Firmware <03.06.19 (18)
	750-8211/xxx-xxx	Firmware <03.06.19 (18)
	750-8212/xxx-xxx	Firmware <03.06.19 (18)
	750-8213/xxx-xxx	Firmware <03.06.19 (18)
	750-8214/xxx-xxx	Firmware <03.06.19 (18)
	750-8216/xxx-xxx	Firmware <03.06.19 (18)
	750-8217/xxx-xxx	Firmware <03.06.19 (18)
	750-823	Firmware <=FW07
	750-829	Firmware <=FW14
	750-831/000-00x	Firmware <=FW14
	750-832/000-00x	Firmware <=FW06
	750-852	Firmware <=FW14
	750-862	Firmware <=FW07
	750-880/0xx-xxx	Firmware <=FW15
	750-881	Firmware <=FW14
	750-882	Firmware <=FW14
	750-885/0xx-xxx	Firmware <=FW14
	750-889	Firmware <=FW14
	750-890/0xx-xxx	Firmware <=FW07
	750-891	Firmware <=FW07
	750-893	Firmware <=FW07

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:58

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Missing Authentication for Critical Function (CWE-306)

Summary

CODESYS V2 Web-Server before 1.1.9.20 has Improper Access Control.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Out-of-bounds Write (CWE-787)

Summary

CODESYS V2 Web-Server before 1.1.9.20 has a Stack-based Buffer Overflow.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Out-of-bounds Write (CWE-787)

Summary

CODESYS V2 runtime system SP before 2.4.7.55 has a Stack-based Buffer Overflow.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Out-of-bounds Write (CWE-787)

Summary

CODESYS V2 Web-Server before 1.1.9.20 has an Out-of-bounds Write.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Weakness

Out-of-bounds Read (CWE-125)

Summary

CODESYS V2 Web-Server before 1.1.9.20 has an Out-of-bounds Read.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness

Allocation of Resources Without Limits or Throttling (CWE-770)

Summary

On WAGO PFC200 devices in different firmware versions with special crafted packets an attacker with network access to the device could cause a denial of service for the login service of the runtime.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)

Summary

CODESYS V2 Web-Server before 1.1.9.20 has a a Buffer Copy without Checking the Size of the Input.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness

Out-of-bounds Write (CWE-787)

Summary

CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness

Out-of-bounds Read (CWE-125)

Summary

CODESYS V2 runtime system before 2.4.7.55 has Improper Input Validation.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Weakness

Incorrect Authorization (CWE-863)

Summary

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weakness

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Summary

On WAGO PFC200 devices in different firmware versions with special crafted packets an authorised attacker with network access to the device can access the file system with higher privileges.

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Summary

CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command.

References

cve.org | nvd.nist.gov

Mitigation

Use general security best practices to protect systems from local and network attacks.
Do not allow direct access to the device from untrusted networks.
Update to the latest firmware according to the table in chapter solutions.
Disable the CODESYS 2.3 Web-Visualisation and CODESYS 2.3 port 2455.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at www.codesys.com/security/security-rep... external link

Remediation

WAGO recommends all effected users with CODESYS 2.3 Runtime PLCs to update to the firmware version listed below.

Series Ethernet Controller:

Article No.	Fixed Version	Available
750-823	>=FW08	June 2021
750-829	>=FW15	May 2021
750-831/000-00x	>=FW15	May 2021
750-832/000-00x	>=FW08	June 2021
750-852	>=FW15	May 2021
750-862	>=FW08	June 2021
750-880/0xx-xxx	>=FW16	May 2021
750-881	>=FW15	May 2021
750-882	>=FW15	May 2021
750-885/0xx-xxx	>=FW15	May 2021
750-889	>=FW15	May 2021
750-890/0xx-xxx	>=FW08	June 2021
750-891	>=FW08	June 2021
750-893	>=FW08	June 2021

Series PFC200 Controller

Article No.	Fixed Patch	Patch Available	Fixed Firmware	Firmware Approx. Available
750-8202/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8203/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8204/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8206/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8207/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8208/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8210/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8211/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8212/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8213/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8214/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8216/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021
750-8217/xxx-xxx	>=03.06.19 (18)	May 2021	>=FW19	August 2021

Revision History

Version	Date	Summary
1	15.05.2021 11:00	Initial revision.
2	22.05.2025 15:03	Fix: version space, added distribution, quotation mark

WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2021-30190 9.8

CVE-2021-30189 9.8

CVE-2021-30188 9.8

CVE-2021-30193 9.8

CVE-2021-30194 9.1

CVE-2021-21000 7.5

CVE-2021-30191 7.5

CVE-2021-30186 7.5

CVE-2021-30195 7.5

CVE-2021-30192 6.8

CVE-2021-21001 6.5

CVE-2021-30187 5.3

Mitigation

Remediation

Revision History