CVE-2021-36763
📋 TL;DR
CVE-2021-36763 is a directory traversal vulnerability in CODESYS V3 web server that allows external attackers to access files or directories they shouldn't have permission to view. This affects CODESYS V3 web server installations before version 3.5.17.10. Industrial control systems using vulnerable CODESYS components are at risk.
💻 Affected Systems
- CODESYS V3 web server
📦 What is this software?
Control by Codesys
Control by Codesys
Control by Codesys
Control by Codesys
Control by Codesys
Control by Codesys
Control by Codesys
Control by Codesys
Control by Codesys
Control Rte by Codesys
Control Rte by Codesys
Hmi by Codesys
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive configuration files, source code, or credentials, potentially leading to full system compromise, production disruption, or intellectual property theft.
Likely Case
Unauthorized access to system files, configuration data, or application files that could be used for reconnaissance or further attacks.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to the web server.
🎯 Exploit Status
Directory traversal attacks are well-understood and easy to automate. Public exploit code exists for similar CODESYS vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.17.10 or later
Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16803&token=0b8edf9276dc39ee52f43026c415c5b38085d90a&download=
Restart Required: Yes
Instructions:
1. Download CODESYS V3 version 3.5.17.10 or later from official vendor sources. 2. Backup current configuration and projects. 3. Install the update following vendor documentation. 4. Restart affected systems and services. 5. Verify web server functionality.
🔧 Temporary Workarounds
Disable web server
allTemporarily disable the CODESYS web server component if not required for operations.
Consult CODESYS documentation for web server disable procedures specific to your installation
Network segmentation
allIsolate CODESYS systems from untrusted networks using firewalls.
Configure firewall rules to block external access to CODESYS web server ports (typically 80, 443, 8080)
🧯 If You Can't Patch
- Implement strict network access controls to prevent external access to CODESYS web server
- Deploy web application firewall (WAF) with directory traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check CODESYS web server version via web interface or configuration files. Versions below 3.5.17.10 are vulnerable.Check Version:
Check CODESYS About dialog or configuration files for version informationVerify Fix Applied:
Verify installed version is 3.5.17.10 or higher. Test directory traversal attempts should be blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple failed attempts to access restricted directories
- Unusual file access patterns in web server logs
- Requests containing '../' or directory traversal patterns
Network Indicators:
- External IPs accessing CODESYS web server on unusual paths
- Bursts of requests to sensitive file paths
SIEM Query:
web_server_logs WHERE url CONTAINS '../' OR url CONTAINS '..\\' AND source_ip NOT IN (trusted_networks)