Zurück zur Übersicht

CODESYS: Multiple products affected by WIBU Codemeter vulnerability

VDE-2023-035
Last update
05.12.2023 08:00
Published at
05.12.2023 08:00
Vendor(s)
CODESYS GmbH
External ID
VDE-2023-035
CSAF Document
Download

Summary

Several CODESYS setups contain and install vulnerable versions of the WIBU CodeMeter Runtime.

Impact

The CODESYS Development System is an IEC 61131-3 programming tool for PLCs based on the CODESYSControl runtime system, which enables embedded or PC-based devices to be a programmable industrialcontroller. All affected CODESYS products install and use the WIBU CodeMeter Runtime for licensemanagement. The manufacturer WIBU-SYSTEMS AG has reported a heap buffer overflow vulnerability in theWIBU CodeMeter Runtime, which can potentially lead to a remote code execution.

Affected Product(s)

Model no. Product name Affected versions
CODESYS Control RTE (SL) <3.5.19.30 CODESYS Control RTE (SL) <3.5.19.30
CODESYS Control RTE (for Beckhoff CX) SL <3.5.19.30 CODESYS Control RTE (for Beckhoff CX) SL <3.5.19.30
CODESYS Control Win (SL) <3.5.19.30 CODESYS Control Win (SL) <3.5.19.30
CODESYS Control for Linux ARM SL <4.10.0.0 CODESYS Control for Linux ARM SL <4.10.0.0
CODESYS Control for Linux SL <4.10.0.0 CODESYS Control for Linux SL <4.10.0.0
CODESYS HMI (SL) <3.5.19.30 CODESYS HMI (SL) <3.5.19.30
CODESYS OPC OA Server SL <3.5.19.30 CODESYS OPC OA Server SL <3.5.19.30
CODESYS SP Realtime NT >=2.3.7.25 CODESYS SP Realtime NT >=2.3.7.25
CODESYS Software CODESYS Development System 2.3.9.45<3.5.19.30 CODESYS Software CODESYS Development System 2.3.9.45<3.5.19.30

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:58
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Out-of-bounds Write (CWE-787)
Summary

A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

References
cve.org | nvd.nist.gov

Mitigation

WIBU-SYSTEMS AG recommends updating to CodeMeter Runtime version 7.60c to fix the vulnerability.

Until an update is available for the affected CODESYS products or if this is not to be installed, CODESYS
GmbH recommends downloading and installing the current CodeMeter Runtime directly from the website of
WIBU-SYSTEMS AG (https://www.wibu.com/support/user/user-software.html).

If neither an update of the affected CODESYS products nor an update of the WIBU CodeMeter Runtime can be performed, you may find further mitigations in the Security Advisory WIBU-230704-01 provided by WIBUSYSTEMS AG (https://www.wibu.com/support/security-advisories.html).

Remediation

Update the following products to version 3.5.19.30.

• CODESYS Control RTE (SL)

• CODESYS Control RTE (for Beckhoff CX) SL

• CODESYS Control Win (SL)

• CODESYS HMI (SL)

• CODESYS Development System

• CODESYS OPC DA Server SL

Update the following products to version to 4.10.0.0.

• CODESYS Control for Linux SL

• CODESYS Control for Linux ARM SL

For the legacy CODESYS V2 products, no new version is scheduled.

Revision History

Version Date Summary
1 05.12.2023 08:00 Initial revision.