CVE-2022-1965
📋 TL;DR
CVE-2022-1965 is an improper error handling vulnerability in multiple CODESYS products that allows low-privilege remote attackers to delete arbitrary files without user interaction. This affects industrial control systems and automation software using vulnerable CODESYS components. The vulnerability stems from insufficient validation of crafted requests.
💻 Affected Systems
- CODESYS Control runtime systems
- CODESYS Development System
- CODESYS Gateway
- CODESYS OPC UA Server
📦 What is this software?
Plcwinnt by Codesys
⚠️ Risk & Real-World Impact
Worst Case
Critical system files could be deleted, causing denial of service, data loss, or disruption of industrial processes leading to safety incidents.
Likely Case
Attackers delete configuration files or application data, disrupting operations and requiring restoration from backups.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated systems with minimal operational disruption.
🎯 Exploit Status
Exploitation requires low-privilege access but no authentication. The vulnerability is in error handling logic that fails to properly validate file deletion requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V3.5.19.0 and later
Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17139&token=ec67d15a433b61c77154166c20c78036540cacb0&download=
Restart Required: Yes
Instructions:
1. Download the latest CODESYS version from the vendor portal. 2. Backup current configuration and projects. 3. Install the update following vendor documentation. 4. Restart affected systems. 5. Verify functionality post-update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate CODESYS systems from untrusted networks using firewalls and VLANs.
Access Control Restrictions
allImplement strict network access controls to limit which systems can communicate with CODESYS components.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CODESYS systems from untrusted networks
- Deploy application firewalls to monitor and block suspicious file deletion requests
🔍 How to Verify
Check if Vulnerable:
Check CODESYS version in administration interface or via system information commands. Versions below V3.5.19.0 are vulnerable.Check Version:
Check via CODESYS IDE: Help → About CODESYS, or on runtime systems use vendor-specific version query commands.Verify Fix Applied:
Verify installed version is V3.5.19.0 or later through CODESYS administration tools or version check commands.📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in CODESYS logs
- Error messages related to file access failures
- Authentication logs showing low-privilege users accessing file operations
Network Indicators:
- Unusual network traffic patterns to CODESYS ports (typically 1217, 4840)
- Requests containing file deletion operations from unexpected sources
SIEM Query:
source="codesys" AND (event_type="file_delete" OR error_message="*file*access*" OR user_privilege="low")