Login Sign Up

CVE-2022-31806

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CODESYS V2 PLCWinNT and Runtime Toolkit 32 versions before V2.4.7.57 have password protection disabled by default with no prompt to enable it. This allows unauthorized access to industrial control systems. Affected users are those running vulnerable CODESYS software in industrial environments.

💻 Affected Systems

Products:
  • CODESYS V2 PLCWinNT
  • CODESYS Runtime Toolkit 32
Versions: All versions prior to V2.4.7.57
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Password protection is disabled by default with no warning to users.

📦 What is this software?

Plcwinnt by Codesys

View all CVEs affecting Plcwinnt →

Runtime Toolkit by Codesys

View all CVEs affecting Runtime Toolkit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control of industrial PLCs, potentially causing physical damage, production shutdowns, or safety incidents.

🟠

Likely Case

Unauthorized access to PLC programming and configuration, leading to operational disruption or data theft.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls in place.

🌐 Internet-Facing: HIGH - If exposed to internet, attackers can directly access vulnerable systems.
🏢 Internal Only: HIGH - Even internally, unauthorized users or malware could exploit this.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

No authentication required when password protection is disabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V2.4.7.57

Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17140&token=6aa2c5c4a8b83b8b09936fefed5b0b11f9d2cc6c&download=

Restart Required: Yes

Instructions:

1. Download V2.4.7.57 from CODESYS customer portal. 2. Install update on affected systems. 3. Restart CODESYS services. 4. Enable password protection in configuration.

🔧 Temporary Workarounds

Enable Password Protection

windows

Manually enable password protection in CODESYS configuration.

Configure via CODESYS Control Panel or configuration files

Network Segmentation

all

Isolate CODESYS systems from untrusted networks.

Implement firewall rules to restrict access to CODESYS ports

🧯 If You Can't Patch

  • Enable password protection immediately in all CODESYS instances
  • Implement strict network access controls and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check CODESYS version in About dialog or registry: HKEY_LOCAL_MACHINE\SOFTWARE\3S-Smart Software Solutions\CODESYS\Version

Check Version:

reg query "HKLM\SOFTWARE\3S-Smart Software Solutions\CODESYS" /v Version

Verify Fix Applied:

Verify version is V2.4.7.57 or later and password protection is enabled in configuration.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to CODESYS services
  • Configuration changes without authentication

Network Indicators:

  • Unexpected connections to CODESYS ports (typically 1217, 1740)

SIEM Query:

source="CODESYS" AND (event_type="login" AND user="anonymous" OR event_type="config_change" AND auth_status="none")

📊 Metadata

CVE ID: CVE-2022-31806
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1188
Published: June 24, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31806, you might also want to check these:

CVE-2025-41672 10.0

This critical vulnerability allows remote unauthenticated attackers to generate valid JWT tokens usi...

Same vulnerability type (CWE-1188)
CVE-2024-2912 10.0

This CVE describes a critical insecure deserialization vulnerability in BentoML that allows remote a...

Same vulnerability type (CWE-1188)
CVE-2024-0001 10.0

A local administrative account intended for initial FlashArray configuration remains active after se...

Same vulnerability type (CWE-1188)