Microsoft has disclosed 15 critical vulnerabilities in its toolkit intended for industrial use. Although exploiting this bug will be quite difficult, the risk of insecurity is very high, causing great damage to the targets.
Specifically, the vulnerability affects the CODESYS V3 software development kit (SDK) that is used to program logic controllers, devices that open and close valves, rotate motors, and control many physical devices. inside industrial facilities worldwide such as power generation plants, energy automation, and process automation.
The SDK allows developers to be compatible with IEC 611131-3, a safe programming language system for use in industrial environments.
According to a Microsoft report, if a hacker performed a DOS attack on a device using a vulnerable version of CODESYS, it could shut down a power plant, interfere with its operations, and cause the systems to fail. Control logic runs abnormally, or steals important information.
Many vendors around the world are using CODESYS, so a single vulnerability can affect multiple sectors, device types, and verticals. The 15 vulnerabilities discovered by Microsoft can all lead to DoS and RCE attacks. Although exploiting these vulnerabilities requires deep knowledge of CODESYS V3’s proprietary protocol as well as user authentication, a successful attack has the potential to cause massive damage to target users. pepper.
Since September 2022, Microsoft has privately reported the vulnerabilities to the CODESYS developer unit and has released patches. Many vendors using the SDK now have the updates installed.