CVE-2011-5007

3S CoDeSys < 3.4 - Remote Code Execution via Long URI to CmpWebServer

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2011-5007. PoCs published by Metasploit, Celil Ünüver, Luigi Auriemma, Celil UNUVER, including Metasploit module exploits/windows/scada/codesys_web_server.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in CoDeSys SCADA Web Server v1.1.9.9 via a maliciously crafted HTTP GET request. It achieves remote code execution by overwriting the return address with a JMP ESP instruction and executing shellcode.

Description

Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/18240

This Metasploit module exploits a stack buffer overflow in CoDeSys SCADA Web Server v1.1.9.9 via a maliciously crafted HTTP GET request. It achieves remote code execution by overwriting the return address with a JMP ESP instruction and executing shellcode.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CoDeSys SCADA Web Server v1.1.9.9
No auth needed
Prerequisites: Network access to the target's web server (port 8080) · Target running vulnerable CoDeSys SCADA Web Server version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Celil Ünüver · cremotewindows
https://www.exploit-db.com/exploits/18187

This exploit targets a remote buffer overflow in CoDeSys v2.3 webserver, sending a crafted HTTP GET request with a malicious payload to achieve remote code execution. It includes shellcode and a reverse shell connection to port 4444.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CoDeSys v2.3
No auth needed
Prerequisites: Network access to the target's webserver on port 8080 · Target running CoDeSys v2.3 on Windows XP SP1 EN
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Luigi Auriemma, Celil UNUVER · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/scada/codesys_web_server.rb

This Metasploit module exploits a stack buffer overflow in CoDeSys Web Server versions 3.4 SP4 Patch 2 and earlier, allowing remote code execution via a crafted HTTP GET request. It includes two targets for different CoDeSys versions and leverages a JMP ESP or memcpy technique to bypass stack protections.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: 3S CoDeSys Web Server <= 3.4 SP4 Patch 2
No auth needed
Prerequisites: Network access to the target's web server (port 8080) · Target running vulnerable CoDeSys version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Mailing List mailing-list x_refsource_bugtraq
http://seclists.org/bugtraq/2011/Nov/178
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47018
Third Party Advisory x_refsource_misc
http://aluigi.altervista.org/adv/codesys_1-adv.txt
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/77387
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18187

Scores

EPSS 0.7320
EPSS Percentile 99.4%

Details

CWE
CWE-119
Status published
Products (1)
3ssoftware/codesys < 3.4
Published Dec 25, 2011
Tracked Since Feb 18, 2026