An authenticated attacker can send a malformed packet to trigger a device crash via the CODESYS V2 runtime commands parsing.
Update: 08.07.2024 release date of the updates has been changed.
An unauthenticated attacker with network access to port 502/TCP of the target device can cause a denial-of-service condition by sending multiple specially crafted packets. The MODBUS server does not properly release memory resources that were reserved for incomplete connection attempts by MODBUS clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the MODBUS server.
The FL MGUARD family of devices is affected by two vulnerabilities.
Two vulnerabilites have been discovered in myREX24 and myREX24.virtual in all versions through 2.13.3.
Two vulnerabilites have been discovered in mbCONNECT24 and mbCONNECT24 in all versions through 2.13.3.
The “legal information” plugin of web-based-management contained a vulnerability which allowed execution of arbitrary commands with privileges of www user.
UPDATE A 15.06.2023 :
A Directory Traversal Vulnerability enables arbitrary file access in ENERGY AXC PU Web service.
An authenticated restricted user of the web frontend can access, read, write and create files throughout the file system using specially crafted URLs via the upload and download functionality of the web service.