By 
CODESYS, an industrial automation software provider, informed its customers that it had patched about a dozen vulnerabilities that affected a number of products. More than half of these vulnerabilities were found by Cisco Talos, the details of which were also revealed.
Flaws in CODESYS software could have grave consequences given its use in the industrial control systems (ICS) made by numerous leading companies. Last month, a cybersecurity company warned that programmable logic controllers (PLCs) made by over a dozen manufacturers were prone to attacks thanks to major security vulnerabilities discovered in CODESYS software.
On July 22, CODESYS issued sex advisories to inform customers those fixes are available for remote code execution, denial of service (DoS), and information revelation flaws impacting its Development System, V3 web server, Gateway, Runtime Toolkit for VxWorks, and EtherNetIP products.
Only one vulnerability has been allocated a critical severity rating. Tracked as CVE-2021-33485, the bug has been labelled as a heap-based buffer overflow in the CODESYS V3 web server, which can be abused for DoS attacks or remote code execution using specially created requests.
CODESYS also issued an advisory describing seven flaws exposed by Cisco’s Talos research and threat intelligence unit. Talos experts discovered that several functions of the CODESYS Development System are impacted by insecure deserialization bugs that can lead to remote code execution.
A threat actor could exploit these flaws by somehow adjusting local configuration or profile files, or by deceiving a local user into opening spiteful project or archive files.
The vendor said it did not know of any attacks abusing these flaws, but for some vulnerabilities it observed that security scanners can create problems.
In each advisory, CODESYS stated that that even a mediocre actor with low skills can exploit vulnerabilities.
