SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-816462404] 3S-Smart Software Solutions GmbH CODESYS Web Server

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2018-02-01Other3S-Smart Software Solutions GmbHZhu WenZhe of Istury IOT security lab reported this vulnerability to NCCIC.N/ACVE-2018-5440 N/AN/AN/A


# 3S-Smart Software Solutions GmbH CODESYS Web Server

3S-Smart Software Solutions GmbH

CODESYS Web Server 

Zhu WenZhe of Istury IOT security lab reported this vulnerability to NCCIC.

All Microsoft Windows (also WinCE) based CODESYS web servers running stand-alone Version 2.3, or as part of the CODESYS runtime system running prior to Version V1.1.9.19, are affected

Successful exploitation of this vulnerability could cause the device the attacker is accessing to crash, resulting in a buffer overflow condition that may allow remote code execution.

A crafted request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of-service condition due to a crash in the web server.
CVE-2018-5440 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Critical Infrastructure Sectors: Critical Manufacturing, Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Kempten, Germany


This vulnerability will be fixed by patch V. for the CODESYS V2.3 web server for Windows. This will be part of the CODESYS setup V2.3.9.56. The release of this security patch was made available on January 30, 2018.

Currently, 3S-Smart Software Solutions GmbH has not identified any workarounds for this vulnerability.

In general, 3S-Smart Software Solutions GmbH recommends the following defensive measures to reduce the risk of exploitation of this vulnerability:

Use controllers and devices only in a protected environment to minimize network exposure and ensure they are not accessible from outside.

Use firewalls to protect and separate the control system network from other networks.

Use VPN (Virtual Private Networks) tunnels if remote access is required.

Protect both development and control systems from unauthorized access (e.g., by means of the operating system).

Protect both development and control system by using up-to-date virus detecting solutions.

For additional information regarding the CODESYS products, or about the described vulnerability, please contact the 3S-Smart Software Solutions support team at this location:

For additional information find the CODESYS Security update at the following location:

For more information and general recommendations for protecting machines and manufacturing facilities, see the CODESYS Security whitepaper available at this location: