|Article No°||Product Name||Affected Version(s)|
|2682630000||IOT-GW30-4G-EU (with u-OS)||2.0.0 , 2.0.1|
|2682620000||IOT-GW30 (with u-OS)||2.0.0 , 2.0.1|
|1334950000||UC20-WL2000-AC (with u-OS)||2.0.0 , 2.0.1|
|1334990000||UC20-WL2000-IOT (with u-OS)||2.0.0 , 2.0.1|
|2660130000||u-create studio||<= 4.2.4|
Multiple Weidmueller products are affected by recent WIBU vulnerability.
A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.
An attacker exploiting the vulnerability in WIBU CodeMeter Runtime in server mode could gain full access to the affected server via network access without any user interaction.
Exploiting the vulnerability in WIBU CodeMeter Runtime in non-networked workstation mode could lead to a privilege elevation and full admin access on this workstation.
Disabling the network server function within CodeMeter would mitigate the vulnerability. To disable this function
please refer to the following steps:
1. Navigate to the CodeMeter WebAdmin Website
2. Select option Settings > Server > Server access
3. Choose option “deactivate” in section “network server”
4. Click “Apply” button on the bottom of the website
For the affected u-control web Controllers and IoT-Gateways please update the firmware to at least version
2.0.2. The firmware update can be obtained from www.weidmueller.com.
For u-create studio please update the CodeMeter control center software to at least version 7.60c. The
Codemeter control center is included in u-create studio and is installed on your computer in parallel. The
Codemeter control center update can be obtained from WIBU-SYSTEMS homepage. Look for “CodeMeter User Runtime für Windows” on WIBU-Website.
Find below appropriate patched firmware versions for all affected products.
|Product number||Product name||Patched in version|
|1334950000||UC20-WL2000-AC (with u-OS)||≥ 2.0.2|
|1334990000||UC20-WL2000-IOT (with u-OS)||≥ 2.0.2|
|2682620000||IOT-GW30 (with u-OS)||≥ 2.0.2|
|2682630000||IOT-GW30-4G-EU (with u-OS)||≥ 2.0.2|
|2660130000||u-create studio with CodeMeter control center||≥ 7.60c|
The vulnerability was discovered and reported by WIBU-SYSTEMS AG.
Weidmueller thanks CERT@VDE for the support with this publication.