How to remediate – CODESYS WAGO WebVisu Detection

Contents

1. Introduction

The remote host is running CODESYS WAGO WebVisu Detection, a SCADA web based visualization system. This means a web server on your network allows users to view and interact with industrial control processes. A successful exploit could allow an attacker to gain unauthorized access to the SCADA system. Confidentiality, integrity, and availability may be impacted if exploited.

2. Technical Explanation

CODESYS WebVisu is a web-based Human Machine Interface (HMI) for CODESYS applications running on WAGO programmable logic controllers (PLCs). The vulnerability lies in the default configuration of the web server, which may be accessible remotely without authentication. An attacker could potentially access and modify the visualization system.

Root cause: Default credentials or lack of authentication for the WebVisu interface.
Exploit mechanism: An attacker connects to the exposed WebVisu interface via a web browser, gaining access to control parameters and potentially modifying PLC logic.
Scope: CODESYS WebVisu running on WAGO application controllers.

3. Detection and Assessment

Quick checks: Use a web browser to access the controller’s IP address on port 80 or 443. Look for the CODESYS WebVisu login page.
Scanning: Nessus plugin ID 16729 can identify exposed CODESYS WebVisu instances. This is an example only and may require updates.
Logs and evidence: Check web server logs for access attempts to the WebVisu interface.

ping {controller_ip}

4. Solution / Remediation Steps

Provide precise, ordered steps to fix the issue. Only include steps that apply to this vulnerability.

4.1 Preparation

Ensure you have access credentials for the CODESYS development environment. A roll back plan is to restore from the previous backup.
A change window may be required depending on your operational procedures and impact assessment.

4.2 Implementation

Step 1: Open the CODESYS project in the CODESYS development environment.
Step 2: Navigate to the “Visualization” settings within the project tree.
Step 3: Enable authentication for the WebVisu interface and set a strong password.
Step 4: Configure access control lists (ACLs) to restrict access to authorized users only.
Step 5: Download the updated project to the WAGO application controller.

4.3 Config or Code Example

Before

// No authentication enabled in WebVisu settings

After

// Authentication Enabled: Yes
// Password: StrongPassword123!
// Access Control Lists configured for authorized users.

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice.

Practice 1: Least privilege – restrict access to the SCADA system to authorized personnel only.
Practice 2: Strong authentication – enforce strong passwords and multi-factor authentication where possible.

4.5 Automation (Optional)

No suitable automation script is available for this vulnerability due to its configuration nature.

5. Verification / Validation

Explain how to confirm the fix worked. Provide commands, expected outputs, and a short negative test if possible. Include a simple service smoke test.

Post-fix check: Attempt to access the WebVisu interface without credentials. You should be prompted for authentication.
Re-test: Re-run the quick check from Section 3. The login page should now require valid credentials.
Smoke test: Verify that authorized users can still log in and interact with the visualization system as expected.
Monitoring: Monitor web server logs for failed authentication attempts.

ping {controller_ip}

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

Baselines: Update your security baseline to include a requirement for authentication on all web-based SCADA interfaces.
Pipelines: Include static analysis checks in your CI/CD pipeline to identify default credentials or insecure configurations in CODESYS projects.
Asset and patch process: Implement a regular review cycle for SCADA system configurations to ensure they remain secure.

7. Risks, Side Effects, and Roll Back

Roll back: Restore the previous backup of the CODESYS project.

8. References and Resources

Vendor advisory or bulletin: http://www.codesys.com/products/codesys-visualization/webvisu.html
NVD or CVE entry: No specific CVE available for this detection, but related vulnerabilities may exist.
Product or platform documentation relevant to the fix: https://help.codesys.com/hedoc/3.5/en/webvisu/webvisu_configuring_authentication.html

Updated on December 27, 2025

Was this article helpful?

Yes No