CVE-2021-30192

Q: What is the severity of CVE-2021-30192?

CVE-2021-30192 has a CVSS score of 9.8 (CRITICAL). CVE-2021-30192 is an improper security check vulnerability in CODESYS V2 Web-Server that allows attackers to bypass authentication and gain unauthorized access. This affects industrial control systems using CODESYS V2 Web-Server versions before 1.1.9.20. Attackers can exploit this to execute arbitrary code or manipulate PLC operations.

9.8 CRITICAL

Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2021-30192 is an improper security check vulnerability in CODESYS V2 Web-Server that allows attackers to bypass authentication and gain unauthorized access. This affects industrial control systems using CODESYS V2 Web-Server versions before 1.1.9.20. Attackers can exploit this to execute arbitrary code or manipulate PLC operations.

💻 Affected Systems

Products:

CODESYS V2 Web-Server

Versions: All versions before 1.1.9.20

Operating Systems: Windows, Linux, Various real-time operating systems used with CODESYS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any system running CODESYS V2 Web-Server component, commonly found in industrial PLCs and automation controllers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to physical damage, production shutdown, or safety incidents via remote code execution on PLCs.

🟠

Likely Case

Unauthorized access to PLC programming and configuration, manipulation of industrial processes, data theft, or denial of service.

🟢

If Mitigated

Limited impact if systems are isolated, patched, or have additional network segmentation and access controls.

🌐 Internet-Facing: HIGH - Web servers exposed to internet are directly vulnerable to remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internally, attackers with network access can exploit this to compromise critical industrial systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the web server port (typically 80/443 or 8080). The vulnerability allows bypassing authentication checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.9.20

Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14726&token=553da5d11234bbe1ceed59969d419a71bb8c8747&download=

Restart Required: Yes

Instructions:

1. Download CODESYS V2 Web-Server version 1.1.9.20 or later from CODESYS customer portal. 2. Stop the CODESYS service. 3. Install the updated version. 4. Restart the service. 5. Verify the version is 1.1.9.20 or higher.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to CODESYS Web-Server to only trusted management networks

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port port="80" protocol="tcp" accept'
netsh advfirewall firewall add rule name="CODESYS_Web" dir=in action=allow protocol=TCP localport=80 remoteip=TRUSTED_NETWORK

Disable Web Server

all

Temporarily disable the CODESYS V2 Web-Server if not required for operations

systemctl stop codesys-web
sc stop "CODESYS Web Server"

🧯 If You Can't Patch

Implement strict network segmentation to isolate CODESYS systems from untrusted networks
Deploy application-level firewalls or WAFs with rules to block unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check CODESYS Web-Server version via web interface at http://<ip>:80/ or using system services list

Check Version:

On Windows: sc query "CODESYS Web Server" | findstr "VERSION" | On Linux: codesys-web --version

Verify Fix Applied:

Verify version is 1.1.9.20 or higher in CODESYS Web-Server about page or service properties

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /webvisu/ or /plc/ paths
Authentication bypass logs in CODESYS audit logs
Unexpected PLC programming sessions

Network Indicators:

Unusual HTTP requests to CODESYS web ports from unauthorized sources
Traffic patterns indicating PLC manipulation

SIEM Query:

source="codesys.log" AND (event_type="auth_failure" OR event_type="unauthorized_access")

📊 Metadata

CVE ID: CVE-2021-30192

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: May 25, 2021

Last Updated: August 15, 2025

🔗 References

https://customers.codesys.com/index.php Permissions Required,Vendor Advisory
https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14726&token=553da5d11234bbe1ceed59969d419a71bb8c8747&download= Vendor Advisory
https://customers.codesys.com/index.php Permissions Required,Vendor Advisory
https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14726&token=553da5d11234bbe1ceed59969d419a71bb8c8747&download= Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

750 8202 Firmware by Wago

750 8203 Firmware by Wago

750 8204 Firmware by Wago

750 8206 Firmware by Wago

750 8207 Firmware by Wago

750 8208 Firmware by Wago

750 8210 Firmware by Wago

750 8211 Firmware by Wago

750 8212 Firmware by Wago

750 8213 Firmware by Wago

750 8214 Firmware by Wago

750 8216 Firmware by Wago

750 8217 Firmware by Wago

750 823 Firmware by Wago

750 829 Firmware by Wago

750 831 Firmware by Wago

750 832 Firmware by Wago

750 852 Firmware by Wago

750 862 Firmware by Wago

750 880 Firmware by Wago

750 881 Firmware by Wago

750 882 Firmware by Wago

750 885 Firmware by Wago

750 889 Firmware by Wago

750 890 Firmware by Wago

750 891 Firmware by Wago

750 893 Firmware by Wago

V2 Web Server by Codesys