CVE-2020-12069

Name of the Vulnerable Software and Affected Versions CODESYS V3 products versions prior to 3.5.16.0 Pilz PMC programming tool versions 3.x prior to 3.5.17

Description The issue is related to a weak hashing algorithm used for storing online communication passwords in the CODESYS Control runtime system. This weakness can be exploited by a local attacker with low privileges to gain full control of the device. The password-hashing feature requires insufficient computational effort, making it vulnerable to attacks.

Recommendations For CODESYS V3 products versions prior to 3.5.16.0, update to version 3.5.16.0 or later to resolve the issue. For Pilz PMC programming tool versions 3.x prior to 3.5.17, update to version 3.5.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the CmpUserMgr component to minimize the risk of exploitation.