Microsoft has disclosed 15 high-severity vulnerabilities in the CODESYS V3 software development kit (SDK). These vulnerabilities affect a widely used collection of tools used to program operational devices in industrial facilities such as power plants, factories, and energy automation facilities. Exploiting these vulnerabilities can result in code execution and denial-of-service attacks, which can cause significant damage to targets.

The CODESYS V3 SDK is used by developers to create programmable logic controllers (PLCs) for various industrial devices. PLCs control physical operations in industrial facilities and play a critical role in managing valves, rotors, and other devices. They are used by companies such as Schneider Electric and WAGO. These vulnerabilities in the SDK can allow threat actors to remotely execute code, tamper with operations, and steal sensitive information.

While exploiting these vulnerabilities requires a deep knowledge of CODESYS V3’s proprietary protocol and user authentication, successful attacks can lead to severe consequences. Threat actors can launch denial-of-service attacks to shut down industrial operations or exploit the code execution vulnerabilities to deploy backdoors and steal critical data.

Following Microsoft’s notification in September, CODESYS has released patches to fix the vulnerabilities. However, it is crucial for vendors using the SDK to install these updates promptly to mitigate the risk.

While exploiting these vulnerabilities might be difficult, past attacks like Triton and Trisis have demonstrated that threat actors have been able to carry out similar attacks. These attacks targeted critical facilities and aimed to disable safety systems. However, such attacks are rare, and the likelihood of these vulnerabilities being patched in most vulnerable production environments is high, reducing the risk of widespread damage.

Although these vulnerabilities are a cause of concern for the industry, specific authentication and complex nature of industrial systems mitigate the potential for catastrophic impacts. Industrial systems are engineered for resilience and are not easily compromised.

The vulnerabilities are now tracked and categorized based on their impact. Codesys has also issued its own advisory, and Microsoft has provided code to help organizations identify vulnerable devices that may still be in use.