Codesys Runtime System
CVE-2018-5440
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
A Stack-based Buffer Overflow issue was discovered in 3S-Smart CODESYS Web Server. Specifically: all Microsoft Windows (also WinCE) based CODESYS web servers running stand-alone Version 2.3, or as part of the CODESYS runtime system running prior to Version V1.1.9.19. A crafted request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of-service condition due to a crash in the web server.
AnalysisAI
A Stack-based Buffer Overflow issue was discovered in 3S-Smart CODESYS Web Server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-121. A Stack-based Buffer Overflow issue was discovered in 3S-Smart CODESYS Web Server. Specifically: all Microsoft Windows (also WinCE) based CODESYS web servers running stand-alone Version 2.3, or as part of the CODESYS runtime system running prior to Version V1.1.9.19. A crafted request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of-service condition due to a crash in the web server. Affected products include: 3S-Software Codesys Runtime System, 3S-Software Codesys Web Server. Version information: Version 2.3.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Codesys Runtime System
View allThe Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attac
The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an attacker to
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion
Runtime Toolkit before 2.4.7.48 in 3S-Smart CODESYS before 2.3.9.48 allows remote attackers to cause a denial of service
Same weakness CWE-121 – Stack-based Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today