Found 15 vulnerabilities in the software of industrial control systems Codesys, which can be used to stop power plants or the theft of information from critical infrastructure systems.
In a report on GitHub, a Specialist from Microsoft Corporation claimed that the German manufacturer discovered the shortcomings in Codesys V3 SDK in September 2022, but they have since been eliminated.
The Codesys V3 SDK, widely used in the industry, provides an environment for setting up and testing programmable logic controllers (PLC). Devices become vulnerable to attacks due to the built-in code in Codesys.
Although the study focused on equipment from Schneider Electric and Wago, Codesys V3 is available for about 1000 types of devices from more than 500 manufacturers, which amounts to “several million devices”.
The 15 vulnerabilities have been given severity ratings ranging from 7.5 to 8.8 out of 10. The exploits require authentication and entry into the system.
Microsoft has issued a warning stating, “An attack that exploits a vulnerable version of Codesys can lead to the shutdown of a power station, the creation of a backdoor in devices, abnormal functioning of PLCs, or theft of critically important information.”
Users of devices with this flawed software are advised to update immediately to prevent potential attacks.