CVE-2023-49675: 
CODESYS Development System vulnerability analysis and mitigation

CVE-2023-49675 affects CODESYS Development System V2.3 versions prior to 2.3.9.73. The vulnerability was discovered and reported by Michael Heinzl and was disclosed on May 6, 2024 (CERT VDE).

The vulnerability is classified as an out-of-bounds write (CWE-787) issue. It has received a CVSS v3.1 base score of 7.8 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability exists in the functionality that allows corrupt project files to be opened after confirmation of a warning dialog (CERT VDE).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code or crash the system. The vulnerability affects the confidentiality, integrity, and availability of the system with high severity impacts (CERT VDE).

CODESYS GmbH recommends only opening projects from trustworthy sources and using password encryption for projects for additional protection against tampering. The permanent fix is to update the CODESYS Development System V2.3 to version 2.3.9.73, which prevents opening of corrupt project files. Users should also consider upgrading to CODESYS V3 as V2.3 is currently in the service phase (CERT VDE).