CODESYS Modbus TCP Server Connection Exhaustion Vulnerability

A resource management vulnerability has been identified in the CODESYS Modbus TCP Server stack, affecting versions prior to 4.6.0.0. This vulnerability allows an unauthenticated remote attacker to exploit a race condition in connection handling, leading to the exhaustion of all available TCP connections. As a result, legitimate clients are prevented from establishing new connections, although existing connections remain unaffected.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where all available TCP connections are exhausted, preventing new connections from being established.

Remediation

Users are advised to update to CODESYS Modbus version 4.6.0.0 or later. For existing CODESYS projects, the local Modbus TCP Server in the device tree must also be updated to the latest version and the CODESYS application downloaded to the PLC. The CODESYS Development System and available CODESYS add-ons can be downloaded via the CODESYS Installer or from the CODESYS Store. Additional update information is available in the CODESYS Update area.