The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to execute commands via the command-line interface in the TCP listener service or transfer files via requests to the TCP listener service.
Credits
Independent researcher Reid Wightman of IOActive, formerly of Digital Bond has validated that the patch, issued by 3S, mitigates theses vulnerabilities.
