Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Control programs can access local or remote IOs, communication interfaces such as serial ports or sockets, and local system functions such as the file system, the real-time clock and other OS functions. The control program could utilize this vulnerability to read and modify the configuration file(s) of the affected products via CAA File, SysFile, SysFileAsync, or other IEC code libraries for file access. Programming the controller is only possible, if the online user management is deactivated/not active or if the attacker has previously successfully authenticated himself at the controller.