Over a dozen vulnerabilities discovered by Microsoft researchers in Codesys products can be exploited to cause disruption to industrial processes or deploy backdoors that allow the theft of sensitive information.
Germany-based Codesys makes automation software for engineering control systems. Its products are used by some of the world’s largest industrial control system (ICS) manufacturers, the vendor claiming that its software is found in millions of devices — roughly 1,000 different types of products made by over 500 manufacturers.
Microsoft researchers specializing in the security of cyberphysical systems have discovered a total of 16 vulnerabilities in Codesys Control V3 versions prior to 3.5.19.0. The security holes were reported to Codesys in September 2022 and patches were announced in April 2023.
All of the vulnerabilities have been assigned a ‘high severity’ rating. They can be exploited for denial-of-service (DoS) attacks or for remote code execution (RCE).
Threat actors could exploit them to target programmable logic controllers (PLCs) and other ICS devices using Codesys software. Microsoft’s research focused on PLCs made by Schneider…
