---
title: "Critical CODESYS Flaws Expose Schneider Electric Devices to RCE Attacks"
short_title: "CODESYS flaws threaten Schneider Electric devices"
description: "Schneider Electric warns of multiple critical vulnerabilities in CODESYS runtime affecting industrial controllers, HMI panels, and simulation software. Patch now to prevent remote code execution and denial-of-service risks."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [codesys, schneider-electric, industrial-control-systems, rce, cve]
score: 0.92
cve_ids: [
CVE-2022-4046, CVE-2023-28355, CVE-2022-47378, CVE-2022-47379, CVE-2022-47380,
CVE-2022-47381, CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386,
CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47385,
CVE-2022-47392, CVE-2022-47393, CVE-2022-47391, CVE-2023-37545, CVE-2023-37546,
CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550, CVE-2023-37551,
CVE-2023-37552, CVE-2023-37553, CVE-2023-37554, CVE-2023-37555, CVE-2023-37556,
CVE-2023-37557, CVE-2023-37558, CVE-2023-37559, CVE-2023-3662, CVE-2023-3663,
CVE-2023-3669, CVE-2023-3670
]
---
TL;DR
Schneider Electric has disclosed 40+ vulnerabilities in the CODESYS runtime system V3 embedded across its industrial controllers, HMI panels, and simulation software. Exploiting these flaws could lead to remote code execution (RCE), denial-of-service (DoS), or arbitrary code modification on affected devices. Immediate patching and network segmentation are critical to mitigate risks in critical infrastructure sectors like energy, manufacturing, and commercial facilities.
---
Main Content
Introduction
Schneider Electric has issued a security advisory warning of multiple critical vulnerabilities in the CODESYS runtime system V3, a widely used platform for programming industrial controllers. These flaws affect a broad range of Schneider Electric devices, including Modicon controllers, PacDrive systems, and Harmony HMI panels, potentially exposing industrial environments to remote code execution (RCE), denial-of-service (DoS), and unauthorized data manipulation. Given the deployment of these devices in critical infrastructure sectors worldwide, the vulnerabilities pose significant risks to operational continuity and safety.
---
Key Points
- 40+ vulnerabilities identified in CODESYS runtime V3, affecting Schneider Electric’s industrial controllers, HMI panels, and simulation software.
- Critical impact: Successful exploitation could lead to RCE, DoS, or arbitrary code execution on vulnerable devices.
- Affected products: Modicon controllers (M241, M251, M262, M258, LMC058, LMC078, M218), PacDrive 3 controllers, HMISCU controllers, Harmony HMI panels, and EcoStruxure Machine Expert software.
- High CVSS scores: Multiple vulnerabilities rated 8.8 (High), indicating severe risk.
- Mitigation available: Schneider Electric has released patches and workarounds, including firmware updates and network segmentation recommendations.
- End-of-life products: Some affected devices (e.g., Magelis XBT series, Modicon LMC078, M218) are no longer supported, requiring migration to newer models.
---
Technical Details
The vulnerabilities stem from flaws in the CODESYS runtime system V3, which is embedded in Schneider Electric’s industrial automation products. The issues include:
1. Memory Corruption Vulnerabilities (e.g., CVE-2022-47379, CVE-2022-47380):
- After successful authentication, crafted communication requests can cause buffer overflows or invalid memory access, leading to RCE or DoS.
- Example: CVE-2022-47379 allows attackers to write arbitrary data to memory, potentially executing malicious code.
2. Improper Input Validation (e.g., CVE-2023-37545, CVE-2023-37546):
- Crafted requests with inconsistent content can cause the system to read from invalid memory addresses, resulting in DoS conditions.
- Example: CVE-2023-37545 enables attackers to trigger crashes by sending malformed packets.
3. Insufficient Integrity Checks (e.g., CVE-2023-28355):
- The PLC application checksum in CODESYS is insufficient to detect memory or boot application manipulation, allowing attackers to bypass integrity checks.
4. Uncontrolled Search Path Element (CVE-2023-3662):
- The CODESYS Development System may execute malicious binaries from the current working directory, enabling local privilege escalation.
5. Exposure of Resources to Wrong Sphere (CVE-2023-3670):
- CODESYS Scripting can execute untrusted scripts, potentially leading to unauthorized code execution.
---
Impact Assessment
The vulnerabilities pose severe risks to industrial environments, including:
- Remote Code Execution (RCE): Attackers with network access could execute arbitrary code on vulnerable devices, potentially taking control of industrial processes.
- Denial-of-Service (DoS): Crafted requests could crash devices, disrupting operations in critical sectors like energy, manufacturing, and water treatment.
- Data Manipulation: Flaws like CVE-2022-4046 allow authenticated users to modify sensitive data, compromising process integrity.
- Supply Chain Risks: CODESYS is embedded in products from multiple vendors, amplifying the potential impact across industries.
---
Affected Systems
The following Schneider Electric devices and software are affected:
#### Controllers:
- HMISCU Controller (all versions prior to v6.3.1)
- Modicon Controllers: M241, M251, M262, M258, LMC058, LMC078, M218
- PacDrive 3 Controllers: LMC Eco/Pro/Pro2 (all versions prior to v1.76.14.1)
#### Software:
- EcoStruxure Machine Expert (SoftSPS and Vijeo Designer embedded, all versions prior to v2.2/v6.3.1)
- Vijeo Designer (all versions prior to v6.3.1)
#### HMI Panels:
- Harmony (formerly Magelis) HMIGK/HMIGTO/HMIGTU/HMIGTUX/HMISTU series (all versions prior to V6.3 HF3)
- Easy Harmony HMIET6/HMIFT6, Magelis HMIGXU (all versions prior to v2.0 HF2)
- Magelis XBT series (end-of-life, no fixes planned)
---
Mitigation Steps
Schneider Electric has provided the following remediation and mitigation measures:
#### Vendor Fixes:
1. Update Firmware:
- Modicon M241, M251, M262: Update to firmware delivered with Machine Expert v2.2.
- PacDrive 3 Controllers: Update to v1.76.14.1 or later.
- Vijeo Designer: Update to v6.3.1 or apply HotFix V6.3 HF3.
- Easy Modicon M310: Update to v3.1.5.82.
2. Software Updates:
- EcoStruxure Machine Expert: Update to v2.2 (SoftSPS component removed).
- Vijeo Designer Basic: Apply v2.0 HotFix 2.
3. End-of-Life Products:
- Migrate from unsupported devices (e.g., Magelis XBT series, Modicon LMC078, M218) to newer models like Modicon M262 or Harmony HMIGTO/HMIGTU/HMIGK.
#### Mitigation Strategies:
- Network Segmentation: Isolate industrial control systems from business networks using firewalls.
- Access Control: Restrict access to programming ports (UDP/1740, TCP/11740, TCP/1105) and enforce strong authentication.
- Encrypted Communication: Use VPNs for remote access and enable encrypted links.
- Malware Protection: Deploy up-to-date antivirus and endpoint protection on engineering workstations.
- Monitoring: Subscribe to Schneider Electric’s [security notification service](https://www.se.com/en/work/support/cybersecurity/securitynotifications.jsp) for updates.
---
Conclusion
The CODESYS vulnerabilities in Schneider Electric’s industrial devices highlight the growing risks to critical infrastructure from embedded software flaws. Organizations must prioritize patching and implement network segmentation, access controls, and encryption to mitigate potential attacks. Given the severity of these vulnerabilities—particularly the risk of remote code execution—proactive measures are essential to safeguard industrial operations. Schneider Electric’s advisory underscores the need for continuous monitoring and collaboration between vendors, operators, and cybersecurity experts to address evolving threats in industrial control systems.
---
References
[^1]: Schneider Electric. "[Security Notification: Multiple Vulnerabilities in CODESYS Runtime](https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-02)". Retrieved 2025-01-24.
[^2]: CODESYS Group. "[CODESYS Development System](https://www.codesys.com/)". Retrieved 2025-01-24.
[^3]: Wikipedia. "[CODESYS](https://en.wikipedia.org/wiki/CODESYS)". Retrieved 2025-01-24.
[^4]: Wikipedia. "[Schneider Electric](https://en.wikipedia.org/wiki/Schneider_Electric)". Retrieved 2025-01-24.
[^5]: Wikipedia. "[Industrial Control System](https://en.wikipedia.org/wiki/Industrial_control_system)". Retrieved 2025-01-24.
[^6]: CISA. "[Improving Industrial Control Systems Cybersecurity](https://www.cisa.gov/resources-tools/services/improving-industrial-control-systems-cybersecurity)". Retrieved 2025-01-24.