Zurück zur Übersicht

Weidmueller: WIBU Vulnerability in multiple Products

VDE-2023-032
Last update
22.05.2025 15:03
Published at
09.11.2023 08:42
Vendor(s)
Weidmueller Interface GmbH & Co. KG
External ID
VDE-2023-032
CSAF Document
Download

Summary

Multiple Weidmueller products are affected by recent WIBU vulnerability.

Impact

An attacker exploiting the vulnerability in WIBU CodeMeter Runtime in server mode could gain full access to the affected server via network access without any user interaction.
Exploiting the vulnerability in WIBU CodeMeter Runtime in non-networked workstation mode could lead to a privilege elevation and full admin access on this workstation.

Affected Product(s)

Model no. Product name Affected versions
2682620000 IOT-GW30 (with u-OS) 2.0.0 IOT-GW30 (with u-OS) 2.0.0
2682620000 IOT-GW30 (with u-OS) 2.0.2 IOT-GW30 (with u-OS) 2.0.2
2682630000 IOT-GW30-4G-EU (with u-OS) 2.0.0 IOT-GW30-4G-EU (with u-OS) 2.0.0
2682630000 IOT-GW30-4G-EU (with u-OS) 2.0.1 IOT-GW30-4G-EU (with u-OS) 2.0.1
1334950000 UC20-WL2000-AC (with u-OS) 2.0.0 UC20-WL2000-AC (with u-OS) 2.0.0
1334950000 UC20-WL2000-AC (with u-OS) 2.0.1 UC20-WL2000-AC (with u-OS) 2.0.1
1334990000 UC20-WL2000-IOT (with u-OS) 2.0.0 UC20-WL2000-IOT (with u-OS) 2.0.0
1334990000 UC20-WL2000-IOT (with u-OS) 2.0.1 UC20-WL2000-IOT (with u-OS) 2.0.1
2660130000 u-create studio <= 4.2.4 u-create studio <= 4.2.4

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Out-of-bounds Write (CWE-787)
Summary

A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

References
cve.org | nvd.nist.gov

Mitigation

u-create studio:
Disabling the network server function within CodeMeter would mitigate the vulnerability. To disable this function
please refer to the following steps:

  1. Navigate to the CodeMeter WebAdmin Website
  2. Select option Settings > Server > Server access
  3. Choose option 'deactivate' in section 'network server'
  4. Click 'Apply' button on the bottom of the website

Remediation

For the affected u-control web Controllers and IoT-Gateways, please update the firmware to at least version 2.0.2.
The firmware update can be obtained from www.weidmueller.com.

For u-create studio, please update the CodeMeter control center software to at least version 7.60c.
The Codemeter control center is included in u-create studio and is installed on your computer in parallel.
The Codemeter control center update can be obtained from the WIBU-SYSTEMS homepage.
Look for 'CodeMeter User Runtime für Windows' on the WIBU website.

Find below appropriate patched firmware versions for all affected products:

Product Number Product Name Patched in Version
1334950000 UC20-WL2000-AC (with u-OS) 2.0.2
1334990000 UC20-WL2000-IOT (with u-OS) 2.0.2
2682620000 IOT-GW30 (with u-OS) 2.0.2
2682630000 IOT-GW30-4G-EU (with u-OS) 2.0.2
2660130000 u-create studio with CodeMeter control center 7.60c

Revision History

Version Date Summary
1 09.11.2023 08:42 Initial revision.
2 22.05.2025 15:03 Fix: quotation mark