ADVISORY2025-02_VDE-2025-013

Vulnerability from csaf_codesysgmbh - Published: 2025-03-18 11:00 - Updated: 2025-06-05 13:31
Summary
CODESYS (Edge) Gateway for Windows insecure default
Notes
Summary: The CODESYS Gateway enables communication between CODESYS runtimes and other clients, primarily the CODESYS Development System V3. It is usually installed as a part of the CODESYS Development System V3 setup and accessed locally by the CODESYS Development System. Due to an insecure standard configuration of the CODESYS Gateway, it is not only accessible locally, but also remotely by default.
Impact: The CODESYS Gateway serves as a communication channel for various clients to CODESYS runtimes. By default, the CODESYS Gateway listens on all available network adapters on port 1217 and can therefore be accessed remotely. However, remote access to the CODESYS Gateway is only required in certain network configurations. Since the CODESYS Gateway is usually accessed locally, many users are unaware of this remote access option, which can enable scanning of and access to restricted PLC networks. Unauthenticated attackers can therefore search for PLCs, but the user management of the PLCs prevents the actual access to the PLCs – unless it is disabled. Please note that the CODESYS (Edge) Gateway for Windows can be installed as a separate setup or as part of other setups such as the CODESYS Development System V3 setup or the CODESYS OPC DA Server setup.
Mitigation: There are two possibilities to mitigate the vulnerability in CODESYS (Edge) Gateways with versions before 3.5.21.0: 1. Check the "LocalAddress" setting in the [CmpGwCommDrvTcp] section of the Gateway's configuration file as follows: [CmpGwCommDrvTcp] LocalAddress=127.0.0.1 ; allow access only from the local computer ;LocalAddress=192.168.1.1 ; IP address (of any adapter) to be listened to - access is only allowed via this address ;LocalAddress=0.0.0.0 ; allow access from any remote machine 2. To reset the Microsoft Windows firewall rule, you must first uninstall the setup that was originally used to install the affected CODESYS Gateway. Beside the standalone Gateway setup, this can be one of the following setups: • CODESYS Development System V3 • CODESYS Control Win (SL) • CODESYS HMI • CODESYS OPC DA Server SL Afterward, perform the custom steps in the setup and ensure that the "CODESYS Gateway" is unchecked in the "Firewall Settings" screen.
Remediation: Update the following products to version 3.5.21.0. • CODESYS Edge Gateway for Windows • CODESYS Gateway for Windows Please note that a new version of the CODESYS (Edge) Gateway for Windows can be installed either with the corresponding standalone setup or as part of the setups of the following other CODESYS products: • CODESYS Development System V3 • CODESYS Control Win (SL) • CODESYS HMI • CODESYS OPC DA Server SL To ensure that all firewall rules are reset, we recommend uninstalling the previously mentioned setups that installed an affected Gateway. Compatibility notes: By default, all 3.5.21.0 setups that install a CODESYS (Edge) Gateway configure the CODESYS Gateway to only allow local client access and do not add a Microsoft Windows firewall rule for CODESYS Gateways V3 and V2.3. However, if remote access is required, you can follow the custom steps in the setup and select the 'Allow remote access' checkbox. In addition, remote access can be enabled for specific IP addresses by changing the 'LocalAddress' setting in the [CmpGwCommDrvTcp] section in the Gateway.cfg file: [CmpGwCommDrvTcp] LocalAddress=127.0.0.1 ; allow access only from the local computer ;LocalAddress=192.168.1.1 ; IP address (of any adapter) to be listened to - access is only allowed via this address ;LocalAddress=0.0.0.0 ; allow access from any remote machine The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.
General Recommendation: As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice defense measures: * Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside * Use firewalls to protect and separate the control system network from other networks * Activate and apply user management and password features * Limit the access to both development and control system by physical means, operating system features, etc. * Use encrypted communication links * Use VPN (Virtual Private Networks) tunnels if remote access is required * Protect both development and control system by using up to date virus detecting solutions For more information and general recommendations for protecting machines and plants, see also the CODESYS Security Whitepaper [here.](https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)
Disclaimer: CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH. Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or liability on the part of CODESYS GmbH. Note: Not all CODESYS features are available in all territories. For more information on geographic restrictions, please contact sales@codesys.com.
CVE-2024-41975

An unauthenticated remote attacker can gain limited information of the PLC network but the user management of the PLCs prevents the actual access to the PLCs.

5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-1188 - Initialization of a Resource with an Insecure Default
Vendor Fix Update the following products to version 3.5.21.0. • CODESYS Edge Gateway for Windows • CODESYS Gateway for Windows Please note that a new version of the CODESYS (Edge) Gateway for Windows can be installed either with the corresponding standalone setup or as part of the setups of the following other CODESYS products: • CODESYS Development System V3 • CODESYS Control Win (SL) • CODESYS HMI • CODESYS OPC DA Server SL To ensure that all firewall rules are reset, we recommend uninstalling the previously mentioned setups that installed an affected Gateway. Compatibility notes: By default, all 3.5.21.0 setups that install a CODESYS (Edge) Gateway configure the CODESYS Gateway to only allow local client access and do not add a Microsoft Windows firewall rule for CODESYS Gateways V3 and V2.3. However, if remote access is required, you can follow the custom steps in the setup and select the 'Allow remote access' checkbox. In addition, remote access can be enabled for specific IP addresses by changing the 'LocalAddress' setting in the [CmpGwCommDrvTcp] section in the Gateway.cfg file: [CmpGwCommDrvTcp] LocalAddress=127.0.0.1 ; allow access only from the local computer ;LocalAddress=192.168.1.1 ; IP address (of any adapter) to be listened to - access is only allowed via this address ;LocalAddress=0.0.0.0 ; allow access from any remote machine The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.
Mitigation There are two possibilities to mitigate the vulnerability in CODESYS (Edge) Gateways with versions before 3.5.21.0: 1. Check the "LocalAddress" setting in the [CmpGwCommDrvTcp] section of the Gateway's configuration file as follows: [CmpGwCommDrvTcp] LocalAddress=127.0.0.1 ; allow access only from the local computer ;LocalAddress=192.168.1.1 ; IP address (of any adapter) to be listened to - access is only allowed via this address ;LocalAddress=0.0.0.0 ; allow access from any remote machine 2. To reset the Microsoft Windows firewall rule, you must first uninstall the setup that was originally used to install the affected CODESYS Gateway. Beside the standalone Gateway setup, this can be one of the following setups: • CODESYS Development System V3 • CODESYS Control Win (SL) • CODESYS HMI • CODESYS OPC DA Server SL Afterward, perform the custom steps in the setup and ensure that the "CODESYS Gateway" is unchecked in the "Firewall Settings" screen.
References
Acknowledgments
CERT@VDE certvde.com
Nozomi Networks Diego Guibertoni
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Diego Guibertoni"
        ],
        "organization": "Nozomi Networks",
        "summary": "reporting"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The CODESYS Gateway enables communication between CODESYS runtimes and other clients, primarily the CODESYS Development System V3. It is usually installed as a part of the CODESYS Development System V3 setup and accessed locally by the CODESYS Development System. Due to an insecure standard configuration of the CODESYS Gateway, it is not only accessible locally, but also remotely by default. ",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The CODESYS Gateway serves as a communication channel for various clients to CODESYS runtimes. By default, the CODESYS Gateway listens on all available network adapters on port 1217 and can therefore be accessed remotely. However, remote access to the CODESYS Gateway is only required in certain network configurations. Since the CODESYS Gateway is usually accessed locally, many users are unaware of this remote access option, which can enable scanning of and access to restricted PLC networks. Unauthenticated attackers can therefore search for PLCs, but the user management of the PLCs prevents the actual access to the PLCs \u2013 unless it is disabled.\n\nPlease note that the CODESYS (Edge) Gateway for Windows can be installed as a separate setup or as part of other setups such as the CODESYS Development System V3 setup or the CODESYS OPC DA Server setup. ",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "There are two possibilities to mitigate the vulnerability in CODESYS (Edge) Gateways with versions before 3.5.21.0:\n\n1. Check the \"LocalAddress\" setting in the [CmpGwCommDrvTcp] section of the Gateway\u0027s configuration file as follows:\n\n       [CmpGwCommDrvTcp] \n\n       LocalAddress=127.0.0.1 ; allow access only from the local computer \n\n       ;LocalAddress=192.168.1.1 ; IP address (of any adapter) to be listened to - access is only allowed via this address \n\n       ;LocalAddress=0.0.0.0 ; allow access from any remote machine \n\n2. To reset the Microsoft Windows firewall rule, you must first uninstall the setup that was originally used to install the affected CODESYS Gateway. Beside the standalone Gateway setup, this can be one of the following setups:\n\n   \u2022 CODESYS Development System V3\n\n   \u2022 CODESYS Control Win (SL)\n\n   \u2022 CODESYS HMI\n\n   \u2022 CODESYS OPC DA Server SL\n\n   Afterward, perform the custom steps in the setup and ensure that the \"CODESYS Gateway\" is unchecked in the \"Firewall Settings\" screen. ",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Update the following products to version 3.5.21.0.\n\n\u2022 CODESYS Edge Gateway for Windows\n\n\u2022 CODESYS Gateway for Windows\n\nPlease note that a new version of the CODESYS (Edge) Gateway for Windows can be installed either with the corresponding standalone setup or as part of the setups of the following other CODESYS products:\n\n\u2022 CODESYS Development System V3\n\n\u2022 CODESYS Control Win (SL)\n\n\u2022 CODESYS HMI\n\n\u2022 CODESYS OPC DA Server SL\n\nTo ensure that all firewall rules are reset, we recommend uninstalling the previously mentioned setups that installed an affected Gateway.\n\nCompatibility notes:\nBy default, all 3.5.21.0 setups that install a CODESYS (Edge) Gateway configure the CODESYS Gateway to only allow local client access and do not add a Microsoft Windows firewall rule for CODESYS Gateways V3 and V2.3. However, if remote access is required, you can follow the custom steps in the setup and select the \u0027Allow remote access\u0027 checkbox. In addition, remote access can be enabled for specific IP addresses by changing the \u0027LocalAddress\u0027 setting in the [CmpGwCommDrvTcp] section in the Gateway.cfg file:\n\n    [CmpGwCommDrvTcp]\n\n    LocalAddress=127.0.0.1 ; allow access only from the local computer\n\n    ;LocalAddress=192.168.1.1 ; IP address (of any adapter) to be listened to - access is only allowed via this address\n\n    ;LocalAddress=0.0.0.0 ; allow access from any remote machine\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.",
        "title": "Remediation"
      },
      {
        "category": "general",
        "text": "As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice\ndefense measures:\n\n* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside\n* Use firewalls to protect and separate the control system network from other networks\n* Activate and apply user management and password features\n* Limit the access to both development and control system by physical means, operating system features, etc.\n* Use encrypted communication links\n* Use VPN (Virtual Private Networks) tunnels if remote access is required\n* Protect both development and control system by using up to date virus detecting solutions\n\nFor more information and general recommendations for protecting machines and plants, see also the\nCODESYS Security Whitepaper [here.](https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)",
        "title": "General Recommendation"
      },
      {
        "category": "legal_disclaimer",
        "text": "CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses\nthat occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.\nInsofar as permissible by law, however, none of this information shall establish any guarantee, commitment or\nliability on the part of CODESYS GmbH.\n\nNote: Not all CODESYS features are available in all territories. For more information on geographic restrictions,\nplease contact sales@codesys.com.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "security@codesys.com",
      "name": "CODESYS GmbH",
      "namespace": "https://www.codesys.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for CODESYS GmbH",
        "url": "https://certvde.com/en/advisories/vendor/codesys"
      },
      {
        "category": "self",
        "summary": "Advisory2025-02_VDE-2025-013: CODESYS (Edge) Gateway for Windows insecure default - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2025-013/"
      },
      {
        "category": "self",
        "summary": "Advisory2025-02_VDE-2025-013: CODESYS (Edge) Gateway for Windows insecure default - CSAF",
        "url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2025/advisory2025-02_vde-2025-013.json"
      },
      {
        "category": "external",
        "summary": "CODESYS Security Advisories",
        "url": "https://www.codesys.com/security/security-reports.html"
      },
      {
        "category": "self",
        "summary": "Advisory2025-02_VDE-2025-013: CODESYS (Edge) Gateway for Windows insecure default - PDF",
        "url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=18810\u0026token=7288c344697bf37648e1ad475ea53a0a2bd9fc43\u0026download="
      }
    ],
    "title": "CODESYS (Edge) Gateway for Windows insecure default",
    "tracking": {
      "aliases": [
        "VDE-2025-013",
        "CODESYS Security Advisory 2025-02"
      ],
      "current_release_date": "2025-06-05T13:31:01.000Z",
      "generator": {
        "date": "2025-04-15T11:00:46.856Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.18"
        }
      },
      "id": "Advisory2025-02_VDE-2025-013",
      "initial_release_date": "2025-03-18T11:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-03-18T11:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-04-15T11:30:00.000Z",
          "number": "2",
          "summary": "Update: fix spelling mistakes: Gateway.ini -\u003e Gateway.cfg, gateway -\u003e Gateway"
        },
        {
          "date": "2025-06-05T13:31:01.000Z",
          "number": "3",
          "summary": "Fix: quotation mark"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c3.5.21.0",
                    "product": {
                      "name": "CODESYS Edge Gateway \u003c3.5.21.0",
                      "product_id": "CSAFPID-51001"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "3.5.21.0",
                    "product": {
                      "name": "CODESYS Edge Gateway 3.5.21.0",
                      "product_id": "CSAFPID-52001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "CODESYS Edge Gateway for Windows "
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c3.5.21.0",
                    "product": {
                      "name": "CODESYS Gateway for Windows \u003c3.5.21.0",
                      "product_id": "CSAFPID-51002"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "3.5.21.0",
                    "product": {
                      "name": "CODESYS Gateway for Windows 3.5.21.0",
                      "product_id": "CSAFPID-52002"
                    }
                  }
                ],
                "category": "product_name",
                "name": "CODESYS Gateway for Windows"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "CODESYS"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-1001",
        "product_ids": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ],
        "summary": "Affected products"
      },
      {
        "group_id": "CSAFGID-2001",
        "product_ids": [
          "CSAFPID-52001",
          "CSAFPID-52002"
        ],
        "summary": "Fixed products"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-41975",
      "cwe": {
        "id": "CWE-1188",
        "name": "Initialization of a Resource with an Insecure Default"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "An unauthenticated remote attacker can gain limited information of the PLC network but the user management of the PLCs prevents the actual access to the PLCs.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001",
          "CSAFPID-52002"
        ],
        "known_affected": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update the following products to version 3.5.21.0.\n\n\u2022 CODESYS Edge Gateway for Windows\n\n\u2022 CODESYS Gateway for Windows\n\nPlease note that a new version of the CODESYS (Edge) Gateway for Windows can be installed either with the corresponding standalone setup or as part of the setups of the following other CODESYS products:\n\n\u2022 CODESYS Development System V3\n\n\u2022 CODESYS Control Win (SL)\n\n\u2022 CODESYS HMI\n\n\u2022 CODESYS OPC DA Server SL\n\nTo ensure that all firewall rules are reset, we recommend uninstalling the previously mentioned setups that installed an affected Gateway.\n\nCompatibility notes:\nBy default, all 3.5.21.0 setups that install a CODESYS (Edge) Gateway configure the CODESYS Gateway to only allow local client access and do not add a Microsoft Windows firewall rule for CODESYS Gateways V3 and V2.3. However, if remote access is required, you can follow the custom steps in the setup and select the \u0027Allow remote access\u0027 checkbox. In addition, remote access can be enabled for specific IP addresses by changing the \u0027LocalAddress\u0027 setting in the [CmpGwCommDrvTcp] section in the Gateway.cfg file:\n\n    [CmpGwCommDrvTcp]\n\n    LocalAddress=127.0.0.1 ; allow access only from the local computer\n\n    ;LocalAddress=192.168.1.1 ; IP address (of any adapter) to be listened to - access is only allowed via this address\n\n    ;LocalAddress=0.0.0.0 ; allow access from any remote machine\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.",
          "group_ids": [
            "CSAFGID-1001"
          ]
        },
        {
          "category": "mitigation",
          "details": "There are two possibilities to mitigate the vulnerability in CODESYS (Edge) Gateways with versions before 3.5.21.0:\n\n1. Check the \"LocalAddress\" setting in the [CmpGwCommDrvTcp] section of the Gateway\u0027s configuration file as follows:\n\n       [CmpGwCommDrvTcp] \n\n       LocalAddress=127.0.0.1 ; allow access only from the local computer \n\n       ;LocalAddress=192.168.1.1 ; IP address (of any adapter) to be listened to - access is only allowed via this address \n\n       ;LocalAddress=0.0.0.0 ; allow access from any remote machine \n\n2. To reset the Microsoft Windows firewall rule, you must first uninstall the setup that was originally used to install the affected CODESYS Gateway. Beside the standalone Gateway setup, this can be one of the following setups:\n\n   \u2022 CODESYS Development System V3\n\n   \u2022 CODESYS Control Win (SL)\n\n   \u2022 CODESYS HMI\n\n   \u2022 CODESYS OPC DA Server SL\n\n   Afterward, perform the custom steps in the setup and ensure that the \"CODESYS Gateway\" is unchecked in the \"Firewall Settings\" screen. ",
          "group_ids": [
            "CSAFGID-1001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001",
            "CSAFPID-51002"
          ]
        }
      ],
      "title": "CVE-2024-41975"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.