The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Control programs can access local or remote IOs, communication interfaces such as serial ports or sockets, and local system functions such as the file system, the real-time clock and other OS functions. The control program could utilize this vulnerability to read and modify the configuration file(s) of the affected products via CAA File, SysFile, SysFileAsync, or other IEC code libraries for file access. Programming the controller is only possible, if the online user management is deactivated/not active or if the attacker has previously successfully authenticated himself at the controller.

Risk Information

  • CVE ID
  • CVE-2022-22515
  • Vendor
  • Product
  • CODESYS Development System
  • CVSS v3
  • 7.1