Promass 83 devices utilizing 499ES EtherNet/IP (ENIP) Stack by Real Time Automation (RTA) are vulnerable to a stack-based buffer overflow.

Update A, 2021-10-07:

  • added credits
  • changed title from "ENDRESS+HAUSER: Promass 83 with Ether/IP affected by DoS vulnerability" to "ENDRESS+HAUSER: Promass 83 with EtherNet/IP affected by a stack-based buffer overflow"


The affected product families are cameras SBOC/SBOI and the Controller SBRD. The vulnerabilities are located within the Ethernet IP Stack from EIPStackGroup OpENer Ethernet/IP.

Multiple products of PILZ utilise a third-party TCP/IP implementation - the "Niche Ethernet Stack". This TCP/IP stack contains multiple vulnerabilities which are therefore affecting the products listed above.

Multiple vulnerabilities were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version,,,,, and contain vulnerable versions of WIBU-SYSTEMS Codemeter.

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
With special crafted requests it is possible to read and write some special parameters without authentication.
This vulnerability is different to advisory SAV-2020-014 / VDE-2020-028.

WAGO: OpenSSL DoS Vulnerability in PLCs

WAGO controllers have always been designed for easy connection to IT infrastructure. Even controllers from legacy product lines support encryption standards to ensure secure communication.
With special crafted requests it is possible to bring the device out of operation.
All listed devices are vulnerable for this denial of service attack.

Critical vulnerabilities have been discovered in the product and in the utilized components jQuery by jQuery Team and TLS Version 1.0/1.1.

The impact of the vulnerabilities on the affected device may result in

  • denial of service
  • remote code execution
  • code exposure


By Vendor




(Scoring for CVSS 2.0,3.0+3.1)
No CVE available
0.1 <= 3.9
4.0 <= 6.9
7.0 <= 8.9
9.0 <= 10.0