CVE-2020-12069 | CODESYS V3 prone to Inadequate Password Hashing

In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device.

Published: 2022-12-26 Last update: 2025-05-05 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2020-12069 is rated Low Risk (39.4/100): CVSS High severity, with low exploitation likelihood (EPSS 0.08%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2020-12069

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-01-06 0.04% 0.08% +0.03%
2 2024-10-04 0.16% 0.04% -0.12%
3 2024-01-02 0.16%

Full EPSS history (5 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2020-12069

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.9 [email protected]
7.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.9 [email protected]

Weakness enumeration for CVE-2020-12069

Affected software / configurations for CVE-2020-12069

Vendor Product Version Raw CPE
pilz pmc >= 3.0.0, < 3.5.17 cpe:2.3:a:pilz:pmc:*:*:*:*:*:*:*:*
codesys control_for_beaglebone < 3.5.16.0 cpe:2.3:a:codesys:control_for_beaglebone:*:*:*:*:*:*:*:*
codesys control_for_empc-a\/imx6 < 3.5.16.0 cpe:2.3:a:codesys:control_for_empc-a\/imx6:*:*:*:*:*:*:*:*
codesys control_for_iot2000 < 3.5.16.0 cpe:2.3:a:codesys:control_for_iot2000:*:*:*:*:*:*:*:*
codesys control_for_linux < 3.5.16.0 cpe:2.3:a:codesys:control_for_linux:*:*:*:*:*:*:*:*
codesys control_for_pfc100 < 3.5.16.0 cpe:2.3:a:codesys:control_for_pfc100:*:*:*:*:*:*:*:*
codesys control_for_pfc200 < 3.5.16.0 cpe:2.3:a:codesys:control_for_pfc200:*:*:*:*:*:*:*:*
codesys control_for_plcnext < 3.5.16.0 cpe:2.3:a:codesys:control_for_plcnext:*:*:*:*:*:*:*:*
codesys control_for_raspberry_pi < 3.5.16.0 cpe:2.3:a:codesys:control_for_raspberry_pi:*:*:*:*:*:*:*:*
codesys control_rte_v3 < 3.5.16.0 cpe:2.3:a:codesys:control_rte_v3:*:*:*:*:*:*:*:*
codesys control_v3_runtime_system_toolkit < 3.5.16.0 cpe:2.3:a:codesys:control_v3_runtime_system_toolkit:*:*:*:*:*:*:*:*
codesys control_win_v3 < 3.5.16.0 cpe:2.3:a:codesys:control_win_v3:*:*:*:*:*:*:*:*
codesys hmi_v3 < 3.5.16.0 cpe:2.3:a:codesys:hmi_v3:*:*:*:*:*:*:*:*
codesys v3_simulation_runtime < 3.5.16.0 cpe:2.3:a:codesys:v3_simulation_runtime:*:*:*:*:*:*:*:*
festo controller_cecc-d_firmware 2.3.8.0 cpe:2.3:o:festo:controller_cecc-d_firmware:2.3.8.0:*:*:*:*:*:*:*
festo controller_cecc-d_firmware 2.3.8.1 cpe:2.3:o:festo:controller_cecc-d_firmware:2.3.8.1:*:*:*:*:*:*:*
festo controller_cecc-lk_firmware 2.3.8.0 cpe:2.3:o:festo:controller_cecc-lk_firmware:2.3.8.0:*:*:*:*:*:*:*
festo controller_cecc-lk_firmware 2.3.8.1 cpe:2.3:o:festo:controller_cecc-lk_firmware:2.3.8.1:*:*:*:*:*:*:*
festo controller_cecc-s_firmware 2.3.8.0 cpe:2.3:o:festo:controller_cecc-s_firmware:2.3.8.0:*:*:*:*:*:*:*
festo controller_cecc-s_firmware 2.3.8.1 cpe:2.3:o:festo:controller_cecc-s_firmware:2.3.8.1:*:*:*:*:*:*:*
wago 750-8217_firmware cpe:2.3:o:wago:750-8217_firmware:-:*:*:*:*:*:*:*
wago 750-8216_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8216_firmware:*:*:*:*:*:*:*:*
wago 750-8215_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8215_firmware:*:*:*:*:*:*:*:*
wago 750-8214_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8214_firmware:*:*:*:*:*:*:*:*
wago 750-8213_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8213_firmware:*:*:*:*:*:*:*:*
wago 750-8212_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8212_firmware:*:*:*:*:*:*:*:*
wago 750-8211_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8211_firmware:*:*:*:*:*:*:*:*
wago 750-8210_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8210_firmware:*:*:*:*:*:*:*:*
wago 750-8207_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8207_firmware:*:*:*:*:*:*:*:*
wago 750-8206_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8206_firmware:*:*:*:*:*:*:*:*
wago 750-8204_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8204_firmware:*:*:*:*:*:*:*:*
wago 750-8203_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8203_firmware:*:*:*:*:*:*:*:*
wago 750-8202_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8202_firmware:*:*:*:*:*:*:*:*
wago 750-8102_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8102_firmware:*:*:*:*:*:*:*:*
wago 750-8101_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8101_firmware:*:*:*:*:*:*:*:*
wago 750-8100_firmware < 03.06.19\(18\) cpe:2.3:o:wago:750-8100_firmware:*:*:*:*:*:*:*:*
wago 762-4201\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4201\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-4202\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4202\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-4203\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4203\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-4204\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4204\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-4205\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4205\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-4205\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4205\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-4206\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4206\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-4206\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4206\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-4301\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4301\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-4302\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4302\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-4303\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4303\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-4304\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4304\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-4305\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4305\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-4306\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-4306\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-5203\/8000-001_firmware <= 03.06.19\(18\) cpe:2.3:o:wago:762-5203\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-5204\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-5204\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-5205\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-5205\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-5206\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-5206\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-5303\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-5303\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-5304\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-5304\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-5305\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-5305\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-5306\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-5306\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-6201\/8000-001_firmware <= 03.06.19\(18\) cpe:2.3:o:wago:762-6201\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-6202\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-6202\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-6203\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-6203\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-6204\/8000-001_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-6204\/8000-001_firmware:*:*:*:*:*:*:*:*
wago 762-6301\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-6301\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-6302\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-6302\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-6303\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-6303\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 762-6304\/8000-002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:762-6304\/8000-002_firmware:*:*:*:*:*:*:*:*
wago 752-8303\/8000-0002_firmware < 03.06.19\(18\) cpe:2.3:o:wago:752-8303\/8000-0002_firmware:*:*:*:*:*:*:*:*

References for CVE-2020-12069

cvelogic Threat Intelligence