Recently, Microsoft security experts revealed that the German industrial software giant Codesys (Codesys) system has 15 high-risk security vulnerabilities, which can lead to power plant shutdowns or the theft of critical system information. In September 2022, Microsoft intelligence threat expert Vladimir Tokarev reported to Codesys a security vulnerability in versions prior to Codesys Control V3 3.5.19.0. Codesys released a patch for the vulnerability in April 2023.

Codesys, the German industrial software giant headquartered in Germany, provides automation software for industrial control systems that are widely available in a large number of devices – about 1,000 different types of products produced by more than 500 manufacturers.

The 15 vulnerabilities, numbered CVE-2022-47379 through CVE-2022-47393, are classified as high-risk, with most scoring 8.8/10 and can be used for denial of service (DoS) attacks or remote code execution (RCE). Twelve of the vulnerabilities are cache overflow vulnerabilities that can be used to implement remote code execution on PLCS. However, an attacker would need to be able to bypass authentication, as well as Data Execution Protection (DEP) and address space configuration Random Load (ASLR) measures.

Security experts believe that these vulnerabilities are not easy to exploit, and attackers not only need to bypass authentication or steal login credentials, but also need to have deep knowledge of Codesys V3’s proprietary protocol and the architecture of the different services used by the protocol. But given the high risk of these vulnerabilities – which could shut down factories and cut power – experts strongly recommend that they be patched as soon as possible.