Several major industrial control system (ICS) vendors have released security advisories in response to the recently disclosed vulnerabilities affecting the CodeMeter licensing and DRM solution made by Germany-based Wibu-Systems.
CodeMeter provides license management capabilities and it’s designed to protect software against piracy and reverse engineering. It’s used for a wide range of applications, including various types of industrial products.
Industrial cybersecurity firm Claroty reported earlier this week that CodeMeter is affected by six critical and high-severity vulnerabilities that can be exploited to launch attacks against industrial systems, including to deliver malware and exploits, and shut down devices or processes.
The company’s researchers showed how an attacker can launch attacks by setting up a malicious website and luring targeted users to it, or by creating their own CodeMeter API and client and sending commands to devices running CodeMeter.
Wibu-Systems was informed about the vulnerabilities and it has released patches (version 7.10), which vendors have been encouraged to apply to their products. The United States Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory and so have many of the major ICS vendors that are impacted. Schneider Electric is not on the list, but the company is also expected to release an advisory.