Zurück zur Übersicht

Pilz: WIBU Vulnerabilitiy in multiple Products

VDE-2023-033
Last update
22.05.2025 15:03
Published at
12.10.2023 08:00
Vendor(s)
Pilz GmbH & Co. KG
External ID
VDE-2023-033
CSAF Document
Download

Summary

Several Pilz products use the 3rd party component "CodeMeter Runtime" from WIBU-SYSTEM AG to manage software licenses. This component is affected by a vulnerability, which may enable an attacker to gain full control over the system running the software product. The vulnerability can be exploited locally or over the network.

Update A, 2023-12-05

changed affected version of "Software PASvisu < 1.15.0" to "Software PASvisu < 1.14.1"
removed CVE-2023-4701 because it was revoked.

Impact

When running WIBU CodeMeter Runtime in non-server mode, a local user may grant themselves improper elevated privileges. When running in server mode, a remote attacker may gain full control over the system. By default, the CodeMeter Runtime is running in non-server mode.

Affected Product(s)

Model no. Product name Affected versions
PASloto <= 1.1.3 PASloto <= 1.1.3
PMC programming tool 3.x.x 3.0.0 <= 3.5.18.2 PMC programming tool 3.x.x 3.0.0 <= 3.5.18.2
266807, 266812, 266815 PMI v8xx <= 2.0.33992 PMI v8xx <= 2.0.33992
PNOZsigma Configurator < 1.5.0 PNOZsigma Configurator < 1.5.0
Software Live Video Server <= 1.1.0 Software Live Video Server <= 1.1.0
Software PAS4000 < 1.26.0 Software PAS4000 < 1.26.0
Software PASvisu < 1.14.1 Software PASvisu < 1.14.1
Software PIT User Authentication Service < 1.1.2 Software PIT User Authentication Service < 1.1.2
Software SafetyEYE Configurator 3.0.0<= 3.0.1 Software SafetyEYE Configurator 3.0.0<= 3.0.1

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Out-of-bounds Write (CWE-787)
Summary

A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

References
cve.org | nvd.nist.gov

Remediation

PAS4000, PASvisu, PIT User Authentication Service, PNOZsigma Configurator, PMIv8: Installthe fixed version as soon as it is available. Please visit the Pilz eShop(https://www.pilz.com/en-INT/eshop) to check for the fixed version.
PASloto, Live Video Server, SafetyEYE Configurator, PMC programming tool: These productsare end-of-live, please follow the general countermeasures.

Revision History

Version Date Summary
1 12.10.2023 08:00 Initial revision.
2 05.12.2023 12:00 Update A
3 22.05.2025 15:03 Fix: quotation mark