Lenze PLC Designer V4 Password Exposure Vulnerability in c430, c520, and c550 Controllers

A vulnerability in Lenze PLC Designer V4, specifically in version 4.0.0, allows local, low-privileged attackers to view the passwords of connected controllers in plain text. This issue arises from an improper implementation that exposes passwords under certain conditions, but only in the software interface, not on the devices themselves. The vulnerability is limited to use with c430, c520, and c550 controllers.

Impact

Exploitation of this vulnerability could lead to unauthorized exposure of passwords in plain text within the PLC Designer V4 interface. This could allow individuals with access to the engineering workstation to view sensitive credentials. However, it does not affect password management on the controllers themselves.

Remediation

Users are strongly advised to update to PLC Designer V4 version 4.0.1, where this vulnerability has been fixed. Lenze also recommends using the tool only in closed and protected security zones to prevent unauthorized viewing of passwords during entry.