CVE-2022-31805 - Unprotected Password Transmission in CODESYS Development System Explained

In the world of industrial automation, CODESYS is a widely-used development environment for programming controller applications. However, in 2022, a serious vulnerability—CVE-2022-31805—was discovered. This security flaw can put industrial processes at risk due to unprotected password transmission between clients and servers. In this article, we break down the issue, show how it can be exploited, and give simple guidelines on staying safe.

What Is CVE-2022-31805?

The CVE-2022-31805 vulnerability affects the CODESYS Development System, particularly multiple components (for example, the OPC server, Gateway Server, and the programming interface). The problem? These components often transmit authentication passwords in clear text over the network, making them easily exposed to anyone sniffing the traffic.

Instead of encrypting the password, CODESYS sends it over the network without any protection.

- Attackers on the same network can easily grab those passwords and use them to control or disrupt industrial systems.

Affected Versions

Originally reported by CODESYS GmbH in their advisory (read it here), the vulnerability impacts:

Other affected components: CODESYS Gateway Server, OPC DA Server, PLC Handler

(Codesys released a patch for version 3.5.17.10 and later.)

How Does the Flaw Work?

When you log into a CODESYS PLC or server, the client software sends your username/password in plain text. Anyone with a network packet sniffer (like Wireshark or tcpdump) can read your login as it goes across the wire.

Diagram

[Your PC] ---plaintext_passwd---> [PLC/Server]
          <---anyone sniffing traffic gets password--->

Proof of Concept: Sniffing Credentials

Let’s see how an attacker could exploit this with standard tools.

Step 1: Setup a packet sniffer

sudo tcpdump -i eth port 1217 -w codesys_traffic.pcap

*Replace 1217 with the actual TCP/UDP port used for your CODESYS service.*

Step 3: Open the traffic in Wireshark

- Filter by the relevant port/protocol.

Sample Wireshark display filter

tcp.port == 1217 && frame contains "Password"

- Example (hex decoded)

UserName=admin&Password=supersecretpassword

Screenshot example:
*( Note: Can't show image here, but you'd literally see login data as plain text in the packet dump. )*

Attackers with access to your industrial network could

- Steal credentials to PLCs/SCADA/HMI systems.

Gain a persistent foothold in critical infrastructure.

Since these systems often control real-world equipment—factories, water plants, power grids— the consequences could be very serious.

If You Use CODESYS

1. Update immediately to CODESYS V3.5.17.10 or later (changelog/reference).

Do NOT reuse passwords across devices or environments.

Vendor Guidance:
Official CODESYS advisory:
https://www.codesys.com/security/security-reports.html

CISA ICS advisory:
https://www.cisa.gov/news-events/ics-advisories/icsa-22-180-05

Final Thoughts

CVE-2022-31805 is a classic example of why encryption matters everywhere. Even the most trusted industrial automation tools sometimes make mistakes that put critical systems at risk. Knowing how these flaws work and what tools can exploit them makes us better at defending our networks.

If you work with CODESYS or similar tools, patch early, segment your networks, and never assume your protocols are safe until you check!

References

- NVD Detail: CVE-2022-31805
- ICS Advisory (ICSA-22-180-05)
- CODESYS Security Update

Timeline

Published on: 06/24/2022 08:15:00 UTC
Last modified on: 07/07/2022 13:40:00 UTC