TruControl laser control software from versions 1.04 to 3.0.0 use codesys runtime versions affected by multiple CVEs:

CVE-2021-29242, CVE-2021-29241, CVE-2019-5105, CVE-2020-7052, CVE-2019-9012, CVE-2019-9010, CVE-2019-9009, CVE-2018-10612

In addition to the CVEs listed above, the affected products are also affected by the following three vulnerabilites without a CVE ID:

CODESYS Advisory 2018-07

A crafted communication request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition.

CVSSv3.0 base score 6.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Link to advisory

CODESYS Advisory 2018-04

The CODESYS runtime system allows to access files outside the restricted working directory of the controller by online services

CVSSv3.0 base score 9.9
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Link to advisory

CODESYS Advisory 2017-03

A crafted request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition

CVSSv3.0 base score 7.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Link to advisory

Access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.

A device on the same network as the controller sending a special crafted JSON request to the /auth/access-token endpoint may cause the controller to restart (CWE-20).


The CVSS score has been raised from 7.7 (CVSS:3.0:AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) to 9.1 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Third party Niche Ethernet stack has several vulnerabilities announced by the security researcher’s community.
Phoenix Contact Classic Line industrial controllers are developed and designed for the use in closed industrial networks. The communication protocols and device access do not feature authentication measures. Remote attackers can use specially crafted IP packets to cause a Denial of Service or a Breach of Integrity of the PLC.

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

See details on Microsoft Advisory CVE-2021-34527 (

Multiple Vulnerabilities in mbConnect24serv (a software service of mbDIALUP) can lead to arbitrary code execution due to improper privilege management.

Update A, 2021-11-24

  • corrected fixed version in solution from 3.9R0.4 to 3.9R0.5

Two issues have been discovered in mymbCONNECT24 and mbCONNECT24 in all versions
including V2.8.0.


By Vendor




(Scoring for CVSS 2.0,3.0+3.1)
No CVE available
0.1 <= 3.9
4.0 <= 6.9
7.0 <= 8.9
9.0 <= 10.0