Impact on Industrial Automation: Unveiling Vulnerabilities in CODESYS V3 Software Development Kit

Microsoft's Threat Research team has revealed a cluster of 15 high-severity vulnerabilities embedded within the CODESYS V3 software development kit (SDK), potentially laying the groundwork for remote code execution (RCE) and denial-of-service (DoS) attacks.

CODESYS is a widely used software development environment and runtime system designed for programming and engineering programmable logic controllers (PLCs)

These vulnerabilities impact all versions of CODESYS V3 prior to 3.4.19.0. CODESYS enjoys widespread adoption for programming programmable logic controllers (PLCs), boasting compatibility with over 1,000 device types from more than 500 manufacturers.

These vulnerabilities expose the following risks:

1. Potential for a DoS attack, capable of incapacitating a susceptible CODESYS-enabled device and consequently shutting down vital infrastructures like power plants.
2. Potential for remote code execution, which can lay the groundwork for unauthorized access, tampering with operational functions, inciting abnormal PLC behavior, and theft of sensitive data.

Fortunately, the exploits are not trivial - they require user authentication and deep understanding of CODESYS V3 proprietary protocols; also most PLC systems are isolated from the public web. Nevertheless, these vulnerabilities should not be ignored indefinitely since if exploited they traverse from the digital world into the physical - since PLC devices control physical systems and machinery, an attack will cause physical harm or damage.

Microsoft reported the findings to the CODESYS Group in September of 2022, and security updates were built and recommended for immediate application.

Users are also strongly advised to upgrade device firmware to version 3.5.19.0 or above to circumvent potential exploitation.