Summary
An unauthenticated attacker can read static visualization files of the CODESYS WebVisu, by bypassing the CODESYS Visualization user management applying forced browsing.
Impact
The CODESYS Visualization, together with the CmpWebServer component in the CODESYS Control Runtime, allows users to create browser-based visualizations for monitoring and controlling industrial processes. Access to these visualizations can be restricted using the built-in user management.
However, on CODESYS Control Runtime systems, where an application with a CODESYS WebVisu is executed, an unauthenticated remote attacker can bypass the user management and read visualization files by means of forced browsing. The exposed files, accessible via a web browser, contain only static visualization data such as text lists, icons or images, but no live data from the controlled system.
Affected Product(s)
| Model no. | Product name | Affected versions | 
|---|---|---|
| CODESYS Control RTE (SL) <3.5.21.0 | CODESYS Control RTE (SL) <3.5.21.0 | |
| CODESYS Control RTE (for Beckhoff CX) SL <3.5.21.0 | CODESYS Control RTE (for Beckhoff CX) SL <3.5.21.0 | |
| CODESYS Control Win (SL) <3.5.21.0 | CODESYS Control Win (SL) <3.5.21.0 | |
| CODESYS Control for BeagleBone SL <4.15.0.0 | CODESYS Control for BeagleBone SL <4.15.0.0 | |
| CODESYS Control for IOT2000 SL <4.15.0.0 | CODESYS Control for IOT2000 SL <4.15.0.0 | |
| CODESYS Control for Linux ARM SL <4.15.0.0 | CODESYS Control for Linux ARM SL <4.15.0.0 | |
| CODESYS Control for Linux SL <4.15.0.0 | CODESYS Control for Linux SL <4.15.0.0 | |
| CODESYS Control for PFC100 SL <4.15.0.0 | CODESYS Control for PFC100 SL <4.15.0.0 | |
| CODESYS Control for PFC200 SL <4.15.0.0 | CODESYS Control for PFC200 SL <4.15.0.0 | |
| CODESYS Control for PLCnext SL <4.15.0.0 | CODESYS Control for PLCnext SL <4.15.0.0 | |
| CODESYS Control for Raspberry Pi SL <4.15.0.0 | CODESYS Control for Raspberry Pi SL <4.15.0.0 | |
| CODESYS Control for WAGO Touch Panels 600 SL <4.15.0.0 | CODESYS Control for WAGO Touch Panels 600 SL <4.15.0.0 | |
| CODESYS Control for emPC-A/iMX6 SL <4.15.0.0 | CODESYS Control for emPC-A/iMX6 SL <4.15.0.0 | |
| CODESYS Embedded Target Visu Toolkit <3.5.21.0 | CODESYS Embedded Target Visu Toolkit <3.5.21.0 | |
| CODESYS HMI (SL) <3.5.21.0 | CODESYS HMI (SL) <3.5.21.0 | |
| CODESYS Remote Target Visu Toolkit <3.5.21.0 | CODESYS Remote Target Visu Toolkit <3.5.21.0 | |
| CODESYS Runtime Toolkit <3.5.21.0 | CODESYS Runtime Toolkit <3.5.21.0 | |
| CODESYS Virtual Control SL <4.15.0.0 | CODESYS Virtual Control SL <4.15.0.0 | |
| CODESYS Visualization <4.8.0.0 | CODESYS Visualization <4.8.0.0 | 
Vulnerabilities
Expand / Collapse allAn unauthenticated remote attacker can bypass the user management in the CODESYS Visualization and read visualization template files or static elements of the CODESYS WebVisu by means of forced browsing.
Remediation
Update the following product to version 4.8.0.0.
* CODESYS Visualization
Update the following products to version 3.5.21.0.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS HMI (SL)
* CODESYS Runtime Toolkit
* CODESYS Embedded Target Visu Toolkit
* CODESYS Remote Target Visu Toolkit
Update the following products to version 4.15.0.0.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL
Updates of both the CODESYS Visualization and the CODESYS Control Runtime System or the CODESYS HMI are required to fix the vulnerability.
Moreover, existing CODESYS projects that include a CODESYS WebVisu must be recompiled and downloaded to the updated HMI or PLC.
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
Acknowledgments
CODESYS GmbH thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
- M. Ankith from Honeywell for reporting
Revision History
| Version | Date | Summary | 
|---|---|---|
| 1 | 23.04.2025 12:00 | Initial revision. |