CoDeSys | Breaking Cybersecurity News | The Hacker News

A set of 16 high-severity security flaws have been disclosed in the  CODESYS V3  software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments. The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed  CoDe16 , carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities. "Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial-of-service (DoS)," Vladimir Tokarev of the Microsoft Threat Intelligence Community  said  in a report. While a successful weaponization of the flaws requires user authentication as well as an in-depth knowledge of the proprietary prot...

CODESYS has released patches to address as many as 11 security flaws that, if successfully exploited, could result in information disclosure and a denial-of-service (DoS) condition, among others.  "These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, PLCs entering a severe fault state, and arbitrary code execution," Chinese cybersecurity firm NSFOCUS  said . "In combination with industrial scenarios on the field, these vulnerabilities could expose industrial production to stagnation, equipment damage, etc." CODESYS is a  software   suite  used by automation specialists as a development environment for programmable logic controller applications ( PLCs ). Following responsible disclosure between September 2021 and January 2022, fixes were  shipped  by the German software company last week on June 23, 2022. Two of the bugs are rated as Critical, seven as High,...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

Cybersecurity researchers on Wednesday disclosed multiple security vulnerabilities impacting CODESYS automation software and the WAGO programmable logic controller (PLC) platform that could be remotely exploited to take control of a company's cloud operational technology (OT) infrastructure. The flaws can be turned "into innovative attacks that could put threat actors in position to remotely control a company's cloud OT implementation, and threaten any industrial process managed from the cloud," the New York-headquartered industrial security company Claroty said in a report shared with The Hacker News, adding they "can be used to target a cloud-based management console from a compromised field device, or take over a company's cloud and attack PLCs and other devices to disrupt operations." CODESYS is a development environment for programming controller applications, enabling easy configuration of PLCs in industrial control systems. WAGO PFC100/200 is...

Reid Wightman from security firm ioActive reported that there is an undocumented backdoor available in   CoDeSys  software that actually used to manage equipment in power plants, military environments, and nautical ships. The bug allow malicious hackers to access sensitive systems without authorization, Ars said. The CoDeSys tool will grant a command shell to anyone who knows the proper command syntax and inner workings, leaving systems that are connected to the public Internet open to malicious tampering and There is absolutely no authentication needed to perform this privileged command,  Reid mention. This software has been used in industrial control systems sold by 261 different manufacturers. 3S-Smart Software Solutions designs CoDeSys and recently issued an advisory that recommends users set a password, but  he is able to develop two exploit shells , one is  codesys-shell.py (to get the CoDeSys command shell wit...