CVE-2021-30190

Q: What is the severity of CVE-2021-30190?

CVE-2021-30190 has a CVSS score of 9.8 (CRITICAL). CVE-2021-30190 is an improper access control vulnerability in CODESYS V2 Web-Server that allows unauthenticated attackers to bypass authentication and gain unauthorized access to the web interface. This affects industrial control systems using CODESYS V2 Web-Server versions before 1.1.9.20, potentially exposing PLC programming and configuration interfaces.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

CVE-2021-30190 is an improper access control vulnerability in CODESYS V2 Web-Server that allows unauthenticated attackers to bypass authentication and gain unauthorized access to the web interface. This affects industrial control systems using CODESYS V2 Web-Server versions before 1.1.9.20, potentially exposing PLC programming and configuration interfaces.

💻 Affected Systems

Products:

CODESYS V2 Web-Server

Versions: All versions before 1.1.9.20

Operating Systems: Windows, Linux, Various real-time operating systems used in industrial controllers

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any system with CODESYS V2 Web-Server enabled, which is commonly used for remote programming and monitoring of industrial PLCs.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control over industrial PLCs, allowing them to modify logic, disrupt operations, cause physical damage, or establish persistent access to critical infrastructure systems.

🟠

Likely Case

Unauthenticated attackers access sensitive configuration data, modify PLC programs, disrupt industrial processes, or use the compromised system as a foothold for lateral movement.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the isolated control system segment, preventing broader network compromise.

🌐 Internet-Facing: HIGH - Direct internet exposure allows unauthenticated remote attackers to exploit this vulnerability without any prerequisites.

🏢 Internal Only: HIGH - Even internally, any network-accessible CODESYS Web-Server is vulnerable to unauthenticated exploitation from compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can bypass authentication. Exploitation requires network access to the web server port (typically 80/443 or 8080).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.9.20 and later

Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14726&token=553da5d11234bbe1ceed59969d419a71bb8c8747&download=

Restart Required: Yes

Instructions:

1. Download CODESYS V2 Web-Server version 1.1.9.20 or later from the CODESYS customer portal. 2. Stop the CODESYS Web-Server service. 3. Install the updated version. 4. Restart the service. 5. Verify the version is 1.1.9.20 or higher.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate CODESYS Web-Server from untrusted networks using firewalls or network segmentation.

Disable Web-Server

all

Disable the CODESYS V2 Web-Server if remote access is not required.

Stop the CODESYS Web-Server service

🧯 If You Can't Patch

Implement strict network access controls to limit access to CODESYS Web-Server only from trusted IP addresses
Monitor network traffic to CODESYS Web-Server for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check if CODESYS V2 Web-Server version is below 1.1.9.20. Attempt unauthenticated access to web interface endpoints.

Check Version:

Check the web interface footer or about page, or examine installed software version in control panel.

Verify Fix Applied:

Verify version is 1.1.9.20 or higher and test that unauthenticated access to protected endpoints is properly rejected.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to protected endpoints
Authentication bypass attempts in web server logs
Unusual PLC programming or configuration changes

Network Indicators:

HTTP requests to CODESYS Web-Server without authentication headers
Traffic to CODESYS Web-Server from unexpected source IPs

SIEM Query:

source="codesys_web_server" AND (status=200 AND auth_failed=false) OR (uri CONTAINS "/protected/" AND auth_token=null)

📊 Metadata

CVE ID: CVE-2021-30190

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: May 25, 2021

Last Updated: August 15, 2025

🔗 References

https://customers.codesys.com/index.php Permissions Required,Vendor Advisory
https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14726&token=553da5d11234bbe1ceed59969d419a71bb8c8747&download= Vendor Advisory
https://customers.codesys.com/index.php Permissions Required,Vendor Advisory
https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14726&token=553da5d11234bbe1ceed59969d419a71bb8c8747&download= Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

750 8202 Firmware by Wago

750 8203 Firmware by Wago

750 8204 Firmware by Wago

750 8206 Firmware by Wago

750 8207 Firmware by Wago

750 8208 Firmware by Wago

750 8210 Firmware by Wago

750 8211 Firmware by Wago

750 8212 Firmware by Wago

750 8213 Firmware by Wago

750 8214 Firmware by Wago

750 8216 Firmware by Wago

750 8217 Firmware by Wago

750 823 Firmware by Wago

750 829 Firmware by Wago

750 831 Firmware by Wago

750 832 Firmware by Wago

750 852 Firmware by Wago

750 862 Firmware by Wago

750 880 Firmware by Wago

750 881 Firmware by Wago

750 882 Firmware by Wago

750 885 Firmware by Wago

750 889 Firmware by Wago

750 890 Firmware by Wago

750 891 Firmware by Wago

750 893 Firmware by Wago

V2 Web Server by Codesys