CVE-2019-9012
Description
An issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Uncontrolled memory allocation in CODESYS V3 Gateway allows remote attackers to cause denial-of-service by sending crafted communication requests.
Vulnerability
The CODESYS Gateway V3 component, present in all CODESYS V3 products prior to version v3.5.14.20, contains an uncontrolled memory allocation vulnerability (CWE-283). A crafted communication request can trigger excessive memory consumption, leading to a denial-of-service condition. The vulnerability affects all variants of CODESYS Control for various platforms, CODESYS Gateway V3, and the CODESYS V3 Development System, regardless of CPU or operating system [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication or user interaction. By sending specially crafted communication requests to the affected CODESYS Gateway, the attacker can cause uncontrolled memory allocation. The attack requires only network access to the target device, and the low skill level required makes it accessible [1].
Impact
Successful exploitation results in a denial-of-service condition, causing the affected product to become unresponsive. The CVSS v3 base score is 7.5 (High) with a vector string of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating no impact on confidentiality or integrity, but high impact on availability [1].
## Mitigation 3S-Smart Software Solutions GmbH has released version v3.5.14.20 and v3.5.15.0, which address the vulnerability. Users should update their CODESYS V3 software to the latest version available from the CODESYS download area [1]. Until patching is possible, CISA recommends defensive measures such as limiting network exposure and using firewalls.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- 3S-Smart/CODESYS V3description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- customers.codesys.com/index.phpmitrex_refsource_CONFIRM
- www.us-cert.gov/ics/advisories/icsa-19-213-03mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.