1. Home
  2. Web App Vulnerabilities
  3. How to remediate – CODESYS WAGO WebVisu Password Information Disclosure Vulnerabi…
Searching...

How to remediate – CODESYS WAGO WebVisu Password Information Disclosure Vulnerabi…

Contents

1. Introduction

The CODESYS WAGO WebVisu Password Information Disclosure Vulnerability allows an attacker to extract password information for users on a vulnerable device. This could allow unauthorised access to the controller and potentially compromise industrial control systems. Affected systems are typically WAGO Application controllers running a vulnerable version of CODESYS WebVisu. Confidentiality is at risk due to potential password exposure.

2. Technical Explanation

The vulnerability exists because CODESYS WebVisu does not properly protect user credentials when handling requests. An attacker can send a specially crafted request to the web interface and retrieve password information stored on the device. This requires network access to the vulnerable controller. The BID entry for this vulnerability is 68485.

  • Root cause: Insufficient protection of user passwords within the WebVisu application.
  • Exploit mechanism: An attacker sends a malicious HTTP request to the WebVisu interface, which returns password information in plain text.
  • Scope: WAGO Application controllers running vulnerable versions of CODESYS WebVisu.

3. Detection and Assessment

To confirm vulnerability, check the version of CODESYS WebVisu installed on your WAGO controller. A thorough assessment involves attempting to extract password information using a crafted request.

  • Quick checks: Check the CODESYS WebVisu version via the web interface or through the CODESYS project configuration.
  • Scanning: Nessus vulnerability ID a5a0dfdc can detect this issue. This is provided as an example only.
  • Logs and evidence: Review application logs for unusual requests to the WebVisu interface. Specific log locations depend on your controller configuration.

4. Solution / Remediation Steps

The vendor has not yet provided a solution. The recommended workaround is to delete the ‘webvisu.jar’ file from the plc directory.

4.1 Preparation

  • There are no dependencies, but ensure you have access to the controller’s file system. Change windows should be planned during maintenance periods.

4.2 Implementation

  1. Step 1: Connect to the WAGO Application controller’s file system.
  2. Step 2: Navigate to the ‘plc’ directory.
  3. Step 3: Delete the ‘webvisu.jar’ file.
  4. Step 4: Restart the PLC runtime.

4.3 Config or Code Example

There is no config or code change involved, only a file deletion.

Before

webvisu.jar exists in the plc directory

After

webvisu.jar does not exist in the plc directory

4.4 Security Practices Relevant to This Vulnerability

Practices that reduce risk include least privilege and secure defaults.

  • Practice 1: Least privilege – limit access to the controller’s file system to only authorised personnel.
  • Practice 2: Secure Defaults – Ensure default passwords are changed immediately upon deployment.

4.5 Automation (Optional)

No automation is provided due to the simplicity of the fix.

5. Verification / Validation

Confirm the fix by verifying that the ‘webvisu.jar’ file has been deleted and attempting to access the WebVisu interface.

  • Post-fix check: Verify the absence of ‘webvisu.jar’ in the plc directory using a file system browser or command line tool.
  • Re-test: Attempt to extract password information as described in the Technical Explanation section; it should no longer be possible.
  • Monitoring: Monitor application logs for errors related to WebVisu access, which may indicate an issue with the workaround.

6. Preventive Measures and Monitoring

Update security baselines to include this vulnerability and regularly review patch cycles.

  • Baselines: Update your security baseline or policy to reflect the need for timely patching of CODESYS WebVisu.
  • Pipelines: Implement checks in CI/CD pipelines to ensure that vulnerable versions of software are not deployed.
  • Asset and patch process: Establish a regular patch review cycle, particularly for industrial control systems components.

7. Risks, Side Effects, and Roll Back

Deleting ‘webvisu.jar’ will disable the WebVisu interface. If this functionality is required, you must restore the file from your backup.

  • Risk or side effect 1: Disabling WebVisu may impact remote monitoring or control capabilities.
  • Roll back: Restore the ‘webvisu.jar’ file from your backed-up CODESYS project and restart the PLC runtime.

8. References and Resources

Refer to official advisories for accurate information.

  • Vendor advisory or bulletin: http://www.nessus.org/u?a5a0dfdc
  • NVD or CVE entry: Not available at time of writing.
  • Product or platform documentation relevant to the fix: Refer to CODESYS WebVisu documentation for file locations and runtime configuration.
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles