CVE-2022-31802 CODESYS CVE debrief

Who should care

OT/ICS operators, plant engineering teams, and administrators running CODESYS provided by Festo or CODESYS Gateway Server V2 should treat this as urgent. Security teams responsible for industrial gateways, remote access paths, and controller authentication should also verify exposure and patch status.

Technical summary

The supplied advisory describes a logic flaw in password verification: only part of the submitted password is checked against the stored gateway password. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the issue is remotely reachable, requires no privileges or user interaction, and can lead to full compromise of the affected service. The source identifies affected versions as those prior to V2.3.9.38 and provides a mitigation to enable password protection at login when no controller password is set.

Defensive priority

Immediate

Recommended defensive actions

• Identify any deployment of CODESYS Gateway Server V2 or CODESYS provided by Festo in the environment.
• Upgrade affected installations to a version at or above V2.3.9.38.
• Enable password protection at login if no password is set at the controller.
• Manually include the password configuration file in backup and restore workflows, since the default FFT backup and restore mechanism does not cover it.
• Restrict network access to industrial gateway services and monitor for unusual authentication activity.

Evidence notes

The CSAF source item (ICSA-25-182-03) states that versions prior to V2.3.9.38 compare only part of the specified password to the real CODESYS Gateway password. The same source assigns CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and lists a mitigation about enabling password protection at login. The supplied revision history shows the advisory was initially published on 2024-12-03 and then corrected the same day to fix one reference.

Official resources