Microsoft’s security researchers recently highlighted a series of severe vulnerabilities in the Codesys V3 SDK, commonly used in industrial programming for Programmable Logic Controllers (PLCs). Although exploiting these weaknesses is challenging, the potential damage they could cause is significant. These vulnerabilities could potentially allow attackers to shut down entire power plants, manipulate PLCs in unusual ways, or steal sensitive information. Exploiting these vulnerabilities requires user authentication and advanced knowledge of Codesys V3’s proprietary protocol and the structure of the services using this protocol.
In September 2022, Microsoft researchers reported these 15 vulnerabilities, 14 of which have a CVSS score of 8.8, to Codesys. Affected are all Codesys V3 versions prior to 3.5.19.0. Since then, Codesys has released patches available for download on their website. While many companies have likely updated their Codesys SDKs, those who haven’t should do so promptly.
However, the situation might not be as dire as it seems. According to security experts from Dragos, Codesys is less prevalent in power generation than in discrete manufacturing and other process controls. The requirement for system authentication means that an attacker could already do various things, making these vulnerabilities somewhat redundant. Additionally, the complexity of industrial systems implies that accessing one part doesn’t necessarily lead to the collapse of the entire system. Unlike fragile structures that can collapse from removing a single piece, these systems are more akin to skyscrapers designed to withstand various factors like wind and earthquakes. Therefore, shutting down entire power plants would likely require more than just exploiting the vulnerabilities identified by Microsoft.