Zurück zur Übersicht

WAGO: Vulnerabilities in CODESYS Control V3 - OPC UA Stack

VDE-2025-009
Last update
14.05.2025 14:28
Published at
04.02.2025 12:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2025-009
CSAF Document
Download

Summary

Several WAGO Firmwares are vulnerable to an incorrect calculation of the buffer size in the CODESYS OPC UA STACK. This can lead to a crash of the runtime of the affected firmware versions installed on several devices.

Impact

The OPC UA Stack is used by both the CODESYS OPC UA Server and Client for data exchange with OPC UA clients like SCADA or HMIs, and OPC UA servers like PLCs. A vulnerability exists where a specially crafted request can cause the system to miscalculate the buffer size, leading to a crash during buffer initialization. Attackers can exploit this flaw by sending malicious requests to crash the CODESYS runtime system. The CODESYS Control runtime system includes both the OPC UA client and server, while the CODESYS HMI includes only the OPC UA client.

Affected Product(s)

Model no. Product name Affected versions
0750-800? Basic Controller 100 0750-800x Firmware <01.04.07(FW4 Basic Controller)
0751-9?01 CC100 0751-9x01 Firmware <04.05.10(FW27), Firmware <04.06.03(70)
0752-8303/8000-0002 Edge Controller 0752-8303/8000-0002 Firmware <04.06.01(70), Firmware <04.05.10(FW27)
0750-810?/????-???? PFC100 G1 0750-810x/xxxx-xxxx Firmware <03.10.11(FW22Patch2)
0750-811?-????-???? PFC100 G2 0750-811x-xxxx-xxxx Firmware <04.06.01(70), Firmware <04.05.10(FW27)
750-820?-????-???? PFC200 G1 750-820x-xxx-xxx Firmware <03.10.11(FW22Patch2)
750-821?-????-???? PFC200 G2 750-821x-xxx-xxx Firmware <04.05.10(FW27), Firmware <04.06.01(70)
0762-420?/8000-000? TP600 0762-420x/8000-000x Firmware <04.06.01(70), Firmware <04.05.10(FW27)
0762-430?/8000-000? TP600 0762-430x/8000-000x Firmware <04.05.10(FW27), Firmware <04.06.01(70)
0762-520?/8000-000? TP600 0762-520x/8000-000x Firmware <04.05.10(FW27), Firmware <04.06.01(70)
0762-530?/8000-000? TP600 0762-530x/8000-000x Firmware <04.05.10(FW27), Firmware <04.06.01(70)
0762-530?/8000-000? TP600 0762-620x/8000-000x Firmware <04.06.01(70), Firmware <04.05.10(FW27)
0762-630?/8000-000? TP600 0762-630x/8000-000x Firmware <04.06.01(70), Firmware <04.05.10(FW27)

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:58
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness
Incorrect Calculation of Buffer Size (CWE-131)
References
cve.org | nvd.nist.gov

Mitigation

The incorrect calculation of the buffer size can be avoided if the maximum supported array length of the OPC UA stack of the CODESYS Control runtime system is limited to a value of 10129639 (Stack.MaxArrayLenth=10129639) or less. This can be achieved by adding the following setting in the runtime configuration under the following path: /etc/codesys3.d/codesyscotrol.cfg

Remediation

Update to Firmware version 22 Patch 2, Firmware version 27 or Firmware version 4 for the basic controller. For the latest custom firmware, please contact the WAGO support.

Revision History

Version Date Summary
1 04.02.2025 12:00 Initial release
2 12.03.2025 14:30 fixed version
3 14.05.2025 14:28 Fix: firmware category