VDE-2021-049
Last update
22.05.2025 15:03
Published at
16.11.2021 13:05
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2021-049
CSAF Document
Summary
A Denial-of-Service Vulnerability was reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC's. All vulnerable PLCs are listed in chapter 'Affected Products'.
Impact
The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerability, to manipulate and disrupt the CODESYS 2.3 Runtime of the device.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 750-8202/xxx-xxx | Firmware <=FW19 | |
| 750-8203/xxx-xxx | Firmware <=FW19 | |
| 750-8204/xxx-xxx | Firmware <=FW19 | |
| 750-8206/xxx-xxx | Firmware <=FW19 | |
| 750-8207/xxx-xxx | Firmware <=FW19 | |
| 750-8208/xxx-xxx | Firmware <=FW19 | |
| 750-8210/xxx-xxx | Firmware <=FW19 | |
| 750-8211/xxx-xxx | Firmware <=FW19 | |
| 750-8212/xxx-xxx | Firmware <=FW19 | |
| 750-8213/xxx-xxx | Firmware <=FW19 | |
| 750-8214/xxx-xxx | Firmware <=FW19 | |
| 750-8216/xxx-xxx | Firmware <=FW19 | |
| 750-8217/xxx-xxx | Firmware <=FW19 |
Vulnerabilities
Expand / Collapse all
Published
22.09.2025 14:58
Severity
Weakness
Improper Handling of Exceptional Conditions (CWE-755)
Summary
In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC.
References
Mitigation
- Use general security best practices to protect systems from local and network attacks.
- Do not allow direct access to the device from untrusted networks.
- Update to the latest firmware according to the table in chapter solutions.
- Disable the CODESYS 2.3 port 2455.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 16.11.2021 13:05 | initial revision |
| 2 | 22.05.2025 15:03 | Fix: version space, added distribution, quotation mark |