1. Home
  2. Web App Vulnerabilities
  3. How to remediate – CODESYS V2 Web Server Detection
Searching...

How to remediate – CODESYS V2 Web Server Detection

Contents

1. Introduction

The CODESYS V2 web server is running on the remote host. This means a web interface used for programming and managing Programmable Logic Controllers (PLCs) is accessible, potentially allowing unauthorized access to control systems. Affected systems are typically industrial automation equipment using CODESYS software. A successful exploit could lead to confidentiality loss of PLC programs, integrity compromise through program modification, and availability disruption by altering system operation.

2. Technical Explanation

The vulnerability lies in the presence of a running CODESYS V2 web server instance. This server is often enabled by default for remote management purposes. An attacker can remotely connect to this server without authentication if it has not been secured, gaining access to PLC projects and functionality. There is no specific CVE associated with simply *detecting* the service; however, exploitation of vulnerabilities within CODESYS itself are well documented. For example, an attacker could upload malicious code or modify existing programs.

  • Root cause: The CODESYS V2 web server is enabled without proper access controls.
  • Exploit mechanism: An attacker connects to the web server and attempts to gain unauthorized access by exploiting known vulnerabilities in the CODESYS platform, or through default credentials if they exist.
  • Scope: Systems running CODESYS V2 software with the web server enabled are affected.

3. Detection and Assessment

You can confirm whether a system is vulnerable by checking for the presence of the CODESYS V2 web server. A quick check involves using network scanning tools to identify open ports associated with the service. A thorough method includes attempting to connect to the web interface.

  • Quick checks: Use nmap -sV and look for services identified as “CODESYS V2 Web Server”.
  • Scanning: Nessus plugin ID 10438 can detect CODESYS Web Server. This is an example only, other scanners may provide similar functionality.
  • Logs and evidence: Check system logs for processes related to CODESYS web server activity. Specific log paths vary depending on the operating system and installation configuration.
nmap -sV

4. Solution / Remediation Steps

To fix this issue, disable or secure the CODESYS V2 web server. The following steps provide a precise guide to remediation.

4.1 Preparation

  • Ensure you have access to the CODESYS development environment for configuration changes. A roll back plan involves restoring the system snapshot.
  • A change window may be required depending on operational impact. Approval from a systems engineer is recommended.

4.2 Implementation

  1. Step 1: Open the CODESYS development environment and connect to the target PLC.
  2. Step 2: Navigate to Device (or similar) settings within the project tree.
  3. Step 3: Locate the “Web Server” configuration section.
  4. Step 4: Disable the web server or configure strong authentication (username/password).
  5. Step 5: Download the updated configuration to the PLC.

4.3 Config or Code Example

Before

// Web Server Enabled with no authentication
WebServer: TRUE
Authentication: FALSE

After

// Web Server Disabled
WebServer: FALSE
Authentication: FALSE

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue.

  • Practice 1: Least privilege – limit access to the CODESYS development environment and PLC configuration.
  • Practice 2: Safe defaults – configure new installations with the web server disabled by default.

4.5 Automation (Optional)

Automation is not typically suitable for this specific remediation due to the need for project-specific configuration within CODESYS.

5. Verification / Validation

Confirm the fix worked by verifying that the web server is no longer accessible or requires authentication. Use network scanning tools and attempt to connect to the interface.

  • Post-fix check: Run nmap -sV again; the CODESYS V2 Web Server should no longer be listed, or it should report a different service name if authentication is enabled.
  • Re-test: Re-run the initial detection method (port scan) to confirm the web server is inaccessible.
  • Smoke test: Verify that PLC programming and management functions still work through other authorized channels.
  • Monitoring: Monitor system logs for any attempts to connect to the CODESYS web server port, indicating potential unauthorized access attempts.
nmap -sV

6. Preventive Measures and Monitoring

Implement preventive measures to avoid similar issues in the future.

  • Baselines: Update security baselines to include disabling or securing CODESYS web servers.
  • Pipelines: Include checks in CI/CD pipelines to ensure new installations are configured with secure defaults.
  • Asset and patch process: Establish a regular review cycle for PLC configurations to identify and address potential vulnerabilities.

7. Risks, Side Effects, and Roll Back

  • Risk or side effect 1: Loss of remote management functionality if no other access method is configured. Mitigation: Configure a secure alternative access channel (e.g., SSH).
  • Roll back: Re-enable the web server in the CODESYS development environment and download the configuration to the PLC. Restore system snapshot if necessary.

8. References and Resources

Refer to official documentation for more information.

Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles