CVE-2021-34593
CODESYS V2 runtime: unauthenticated invalid requests may result in denial-of-service
In short
The CODESYS V2 Runtime allows anyone to send specially crafted invalid requests that can crash the system, stop running programs, or prevent other users from connecting to the programmable logic controller (PLC).
Technical detail
Unauthenticated remote attackers can send malformed requests to CODESYS V2 Runtime (versions before V2.4.7.56) to trigger denial-of-service conditions including process termination, memory exhaustion, and connection blocking. The vulnerability requires network access but no authentication, with high impact on PLC availability.
Summary generated and translated by AI from the official description.
In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
CODESYS · CODESYS V2Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/164716/CODESYS-2.4.7.0-Denial-Of-Service.htmlhttp://packetstormsecurity.com/files/165874/WAGO-750-8xxx-PLC-Denial-Of-Service-User-Enumeration.htmlhttps://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16877&token=8faab0fc1e069f4edfca5d5aba8146139f67a175&download=http://seclists.org/fulldisclosure/2021/Oct/64