CVE-2023-37549: 
CODESYS Development System vulnerability analysis and mitigation

CVE-2023-37549 affects multiple Codesys products across multiple versions. The vulnerability was discovered in August 2023 and involves the CmpApp component of Codesys control systems. After successful authentication as a user, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address (VDE Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The weakness is categorized as Improper Input Validation (CWE-20). The vulnerability requires network access and low privileges, but no user interaction (VDE Advisory).

If exploited, this vulnerability can lead to a denial-of-service condition through invalid memory address reading. The impact primarily affects system availability, with no direct impact on confidentiality or integrity (VDE Advisory).

CODESYS GmbH recommends updating affected products to version 3.5.19.20 for Control RTE, Control Win, Control Runtime System Toolkit, and related products. For other affected products like Control for BeagleBone SL and Control for Linux SL, updates to version 4.10.0.0 are recommended. The online user management is enforced by default as of version 3.5.17.0 as an additional security measure (VDE Advisory).

The vulnerability was reported by Vladimir Tokarev from CPS Research, Microsoft Threat Intelligence Community, with coordination handled by CERT@VDE (VDE Advisory).