What is CVE-2022-31806?

CVE-2022-31806 is a critical-severity vulnerability in Codesys Plcwinnt, classified under Initialization of a Resource with an Insecure Default. CVSS score: 9.8/10. Published 2022-06-24.

How severe is CVE-2022-31806?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2022-31806 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Codesys Plcwinnt

CVE-2022-31806

In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the contr…

EPSS: 0.004 (63.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Codesys Plcwinnt — versions V2
Codesys Runtime Toolkit 32 Bit Full — versions V2

Weakness classification (CWE)

CWE-1188 — Initialization of a Resource with an Insecure Default

Public proof-of-concept exploits

References

customers.codesys.com/index.php (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2022-31806?: CVE-2022-31806 is a critical-severity vulnerability in Codesys Plcwinnt, classified under Initialization of a Resource with an Insecure Default. CVSS score: 9.8/10. Published 2022-06-24.
How severe is CVE-2022-31806?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2022-31806 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.