cbcvebase.
CVE-2012-6069
published 2013-01-21

CVE-2012-6069: The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an attacker to access files and directories outside…

PriorityP260critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
2.64%
83.7th percentile
The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an attacker to access files and directories outside the intended scope. This may allow an attacker to upload and download any file on the device. This could allow the attacker to affect the availability, integrity, and confidentiality of the device.

Affected

10 ranges
VendorProductVersion rangeFixed in
3s-smart_software_solutionscodesys_control_rte< 2.3.7.172.3.7.17
3s-smart_software_solutionscodesys_control_runtime_embedded< 2.3.2.82.3.2.8
3s-smart_software_solutionscodesys_control_runtime_full< 2.4.7.402.4.7.40
3s-softwarecodesys_runtime_system
3s-softwarecodesys_runtime_system
3s-softwarecodesys_runtime_system
3s-softwarecodesys_runtime_system
3s-softwarecodesys_runtime_system
festocecx-x-c1_modular_master_controller_with_codesys
festocecx-x-m1_modular_controller_with_codesys_and_softmotion

Detection & IOCsextracted from sources · hover to see the quote

port4000/TCP
port4001/TCP
  • Alert on any unauthenticated connections to CoDeSys runtime ports; the runtime does not require authentication, so any connection sending CoDeSys commands without a prior auth exchange is suspicious.
  • Flag traffic to Port 4000/TCP and Port 4001/TCP on Festo CECX-X-C1/M1 controllers from untrusted hosts, as these are unauthenticated debug and log service ports exploitable without credentials.
  • Public exploit code is known to be available for these vulnerabilities; correlate any IDS hits against known exploit frameworks targeting CoDeSys V2.3 runtime.
  • ·Only CoDeSys V2.x runtime versions are affected; CoDeSys Version 3.X is explicitly stated as not vulnerable.
  • ·Festo has decided not to patch the affected CECX-X-C1 and CECX-X-M1 controllers, meaning these devices remain permanently vulnerable and require compensating network controls.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.