CVE-2022-32143 HIGH

CVE-2022-32143: CODESYS runtime system prone to directory acces

Vendor Codesys
Product Runtime Toolkit
Weakness CWE-552 · Files accessible externally
Published June 24, 2022
Last update September 16, 2024

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously successfully authenticated himself to the controller. A successful Attack may lead to a denial of service, change of local files, or drain of confidential Information. User interaction is not required

Key dates

02Disclosure timeline

June 24, 2022 CVE published
September 16, 2024 Record updated