CVE-2019-9013
Description
An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CODESYS V3 products use non-TLS encryption, exposing user credentials to interception over the network.
Vulnerability
An issue in the CmpUserMgr component of CODESYS V3 products allows the application to utilize non-TLS based encryption, resulting in insufficient protection of user credentials during transport. All variants of the following CODESYS V3 products in all versions containing CmpUserMgr are affected, regardless of CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, and CODESYS HMI V3 [1].
Exploitation
An attacker with network access to PLC traffic can intercept communications. No authentication or user interaction is required; the skill level needed is low. The attacker can capture the insufficiently protected credentials by monitoring the network [1].
Impact
Successful exploitation allows an attacker to obtain user credentials, potentially leading to full compromise of the confidentiality, integrity, and availability of the system. The CVSS v3 base score is 8.8, indicating high impact [1].
## Mitigation 3S-Smart Software Solutions GmbH reports that this vulnerability will be corrected by downloading version 3.5.16.0. Users should update to this version on all affected products. For more information, refer to the vendor advisory [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- 3S-Smart/CODESYS V3description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- customers.codesys.com/index.phpmitrex_refsource_CONFIRM
- www.us-cert.gov/ics/advisories/icsa-19-213-04mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.