ADVISORY2025-04_VDE-2025-022
Vulnerability from csaf_codesysgmbh - Published: 2025-03-18 11:00 - Updated: 2025-06-05 13:31Summary
CODESYS Control V3 - OPC UA Server Authentication bypass
Notes
Summary: The OPC UA security policy Basic128Rsa15 is vulnerable against attacks on the private key. This can lead to loss of confidentiality or authentication bypass. The CODESYS OPC UA server is not affected in the default configuration. However, the affected policy may be enabled by a customer configuration.
Impact: The CODESYS OPC UA server, implemented by the CmpOPCUAServer component, is an optional part of the CODESYS runtime system. The OPC UA server enables data exchange between the CODESYS runtime system and OPC UA clients such as SCADA or HMIs.
The OPC UA protocol supports various security policies to protect communication against common attacks. The deprecated Basic128Rsa15 security policy (http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15) relies on the outdated RSA encryption scheme with PKCS#1 v1.5 padding to secure the payload of OpenSecureChannel messages. This weakness allows an unauthenticated attacker to exploit the Bleichenbacher padding oracle attack to compromise the private key of the OPC UA server's certificate. Consequently, a client could bypass application authentication or decrypt transmitted data. This vulnerability equals CVE-2024-42512, which was published by the OPC Foundation for their OPC UA.NET Standard Stack. However, our assessment resulted in a higher CVSS score because we determined that the attack complexity using the Bleichenbacher padding oracle is rather low than high.
Although this security policy was disabled by default in the CODESYS Runtime Toolkit, device manufacturers with custom build configurations may have enabled it in the past by setting the compiler #define "CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY".
Note: At the same time as the publication of CVE-2024-42512, the OPC Foundation also released CVE-2024-42513. Since CODESYS products do not support OPC UA HTTPS endpoints, no CODESYS product is affected by CVE-2024-42513.
Mitigation: If set, device manufactures need to remove the compiler #define "CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY" from the build configuration of the CODESYS Runtime toolkit to restore the default value, which disables the affected OPC UA security policy Basic128Rsa15.
Note: This prevents clients that only support the Basic128Rsa15 policy from connecting to the CODESYS UPC UA server.
Remediation: Update the following product to version 3.5.21.0 and follow the updated documentation:
* CODESYS Runtime Toolkit
This update has no direct functional impact, but the improved documentation strongly discourages the CODESYS Runtime Toolkit setting 'CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY'.
If set, device manufactures need to remove the compiler #define "CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY" from the build configuration of the CODESYS Runtime toolkit to remediate the vulnerability. This restores the default configuration and disables the affected OPC UA security policy Basic128Rsa15.
Note: This prevents clients that only support the Basic128Rsa15 policy from connecting to the CODESYS UPC UA server.
Device manufacturers find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.
General Recommendation: As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice
defense measures:
* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
* Use firewalls to protect and separate the control system network from other networks
* Activate and apply user management and password features
* Limit the access to both development and control system by physical means, operating system features, etc.
* Use encrypted communication links
* Use VPN (Virtual Private Networks) tunnels if remote access is required
* Protect both development and control system by using up to date virus detecting solutions
For more information and general recommendations for protecting machines and plants, see also the
CODESYS Security Whitepaper [here.](https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)
Disclaimer: CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses
that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.
Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or
liability on the part of CODESYS GmbH.
Note: Not all CODESYS features are available in all territories. For more information on geographic restrictions,
please contact sales@codesys.com.
An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA Server with the non-default Basic128Rsa15 security policy.
7.5 (High)
Mitigation
If set, device manufactures need to remove the compiler #define "CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY" from the build configuration of the CODESYS Runtime toolkit to restore the default value, which disables the affected OPC UA security policy Basic128Rsa15.
Note: This prevents clients that only support the Basic128Rsa15 policy from connecting to the CODESYS UPC UA server.
Vendor Fix
Update the following product to version 3.5.21.0 and follow the updated documentation:
* CODESYS Runtime Toolkit
This update has no direct functional impact, but the improved documentation strongly discourages the CODESYS Runtime Toolkit setting 'CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY'.
If set, device manufactures need to remove the compiler #define "CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY" from the build configuration of the CODESYS Runtime toolkit to remediate the vulnerability. This restores the default configuration and disables the affected OPC UA security policy Basic128Rsa15.
Note: This prevents clients that only support the Basic128Rsa15 policy from connecting to the CODESYS UPC UA server.
Device manufacturers find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.
References
Acknowledgments
CERT@VDE
certvde.com
Secura B.V.
Tom Tervoort
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Tom Tervoort"
],
"organization": "Secura B.V.",
"summary": "reporting"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "The OPC UA security policy Basic128Rsa15 is vulnerable against attacks on the private key. This can lead to loss of confidentiality or authentication bypass. The CODESYS OPC UA server is not affected in the default configuration. However, the affected policy may be enabled by a customer configuration.",
"title": "Summary"
},
{
"category": "description",
"text": "The CODESYS OPC UA server, implemented by the CmpOPCUAServer component, is an optional part of the CODESYS runtime system. The OPC UA server enables data exchange between the CODESYS runtime system and OPC UA clients such as SCADA or HMIs.\n\nThe OPC UA protocol supports various security policies to protect communication against common attacks. The deprecated Basic128Rsa15 security policy (http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15) relies on the outdated RSA encryption scheme with PKCS#1 v1.5 padding to secure the payload of OpenSecureChannel messages. This weakness allows an unauthenticated attacker to exploit the Bleichenbacher padding oracle attack to compromise the private key of the OPC UA server\u0027s certificate. Consequently, a client could bypass application authentication or decrypt transmitted data. This vulnerability equals CVE-2024-42512, which was published by the OPC Foundation for their OPC UA.NET Standard Stack. However, our assessment resulted in a higher CVSS score because we determined that the attack complexity using the Bleichenbacher padding oracle is rather low than high.\n\nAlthough this security policy was disabled by default in the CODESYS Runtime Toolkit, device manufacturers with custom build configurations may have enabled it in the past by setting the compiler #define \"CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY\".\n\nNote: At the same time as the publication of CVE-2024-42512, the OPC Foundation also released CVE-2024-42513. Since CODESYS products do not support OPC UA HTTPS endpoints, no CODESYS product is affected by CVE-2024-42513.",
"title": "Impact"
},
{
"category": "description",
"text": "If set, device manufactures need to remove the compiler #define \"CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY\" from the build configuration of the CODESYS Runtime toolkit to restore the default value, which disables the affected OPC UA security policy Basic128Rsa15.\n\nNote: This prevents clients that only support the Basic128Rsa15 policy from connecting to the CODESYS UPC UA server. ",
"title": "Mitigation"
},
{
"category": "description",
"text": "Update the following product to version 3.5.21.0 and follow the updated documentation:\n* CODESYS Runtime Toolkit\n\nThis update has no direct functional impact, but the improved documentation strongly discourages the CODESYS Runtime Toolkit setting \u0027CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY\u0027.\n\nIf set, device manufactures need to remove the compiler #define \"CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY\" from the build configuration of the CODESYS Runtime toolkit to remediate the vulnerability. This restores the default configuration and disables the affected OPC UA security policy Basic128Rsa15.\n\nNote: This prevents clients that only support the Basic128Rsa15 policy from connecting to the CODESYS UPC UA server.\n\nDevice manufacturers find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download. ",
"title": "Remediation"
},
{
"category": "general",
"text": "As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice\ndefense measures:\n\n* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside\n* Use firewalls to protect and separate the control system network from other networks\n* Activate and apply user management and password features\n* Limit the access to both development and control system by physical means, operating system features, etc.\n* Use encrypted communication links\n* Use VPN (Virtual Private Networks) tunnels if remote access is required\n* Protect both development and control system by using up to date virus detecting solutions\n\nFor more information and general recommendations for protecting machines and plants, see also the\nCODESYS Security Whitepaper [here.](https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)",
"title": "General Recommendation"
},
{
"category": "legal_disclaimer",
"text": "CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses\nthat occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.\nInsofar as permissible by law, however, none of this information shall establish any guarantee, commitment or\nliability on the part of CODESYS GmbH.\n\nNote: Not all CODESYS features are available in all territories. For more information on geographic restrictions,\nplease contact sales@codesys.com.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security@codesys.com",
"name": "CODESYS GmbH",
"namespace": "https://www.codesys.com"
},
"references": [
{
"category": "external",
"summary": "CERT@VDE Security Advisories for CODESYS GmbH",
"url": "https://certvde.com/en/advisories/vendor/codesys"
},
{
"category": "self",
"summary": "Advisory2025-04_VDE-2025-022: CODESYS Control V3 - OPC UA Server Authentication bypass - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-022/"
},
{
"category": "self",
"summary": "Advisory2025-04_VDE-2025-022: CODESYS Control V3 - OPC UA Server Authentication bypass - CSAF",
"url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2025/advisory2025-04_vde-2025-022.json"
},
{
"category": "external",
"summary": "CODESYS Security Advisories",
"url": "https://www.codesys.com/security/security-reports.html"
},
{
"category": "self",
"summary": "Advisory2025-04_VDE-2025-022: CODESYS Control V3 - OPC UA Server Authentication bypass - PDF",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=18837\u0026token=dfb30c01dee1bab88e4cf8e9787f2d2184457454\u0026download="
}
],
"title": "CODESYS Control V3 - OPC UA Server Authentication bypass",
"tracking": {
"aliases": [
"VDE-2025-022",
"CODESYS Security Advisory 2025-04"
],
"current_release_date": "2025-06-05T13:31:01.000Z",
"generator": {
"date": "2025-03-13T10:19:49.914Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.18"
}
},
"id": "Advisory2025-04_VDE-2025-022",
"initial_release_date": "2025-03-18T11:00:00.000Z",
"revision_history": [
{
"date": "2025-03-18T11:00:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-06-05T13:31:01.000Z",
"number": "2",
"summary": "Fix: quotation mark"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.5.21.0",
"product": {
"name": "CODESYS Runtime Toolkit \u003c3.5.21.0",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "3.5.21.0",
"product": {
"name": "CODESYS Runtime Toolkit 3.5.21.0",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "CODESYS Runtime Toolkit"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "CODESYS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1468",
"cwe": {
"id": "CWE-203",
"name": "Observable Discrepancy"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA Server with the non-default Basic128Rsa15 security policy.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001"
],
"known_affected": [
"CSAFPID-51001"
]
},
"remediations": [
{
"category": "mitigation",
"details": "If set, device manufactures need to remove the compiler #define \"CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY\" from the build configuration of the CODESYS Runtime toolkit to restore the default value, which disables the affected OPC UA security policy Basic128Rsa15.\n\nNote: This prevents clients that only support the Basic128Rsa15 policy from connecting to the CODESYS UPC UA server.",
"product_ids": [
"CSAFPID-51001"
]
},
{
"category": "vendor_fix",
"details": "Update the following product to version 3.5.21.0 and follow the updated documentation:\n* CODESYS Runtime Toolkit\n\nThis update has no direct functional impact, but the improved documentation strongly discourages the CODESYS Runtime Toolkit setting \u0027CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY\u0027.\n\nIf set, device manufactures need to remove the compiler #define \"CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY\" from the build configuration of the CODESYS Runtime toolkit to remediate the vulnerability. This restores the default configuration and disables the affected OPC UA security policy Basic128Rsa15.\n\nNote: This prevents clients that only support the Basic128Rsa15 policy from connecting to the CODESYS UPC UA server.\n\nDevice manufacturers find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download. ",
"product_ids": [
"CSAFPID-52001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001"
]
}
],
"title": "CVE-2025-1468"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…