Cyber Security: Lenze PLC Designer V4 with insecure storage of sensitive information

Corrected from:
PLC Designer V4.0.1 

Behavior of the new version:
Even after logging out, the password is still hidden with * and not displayed in plain text. 

 

Source: Lenze SE
 
Date of availability: 20.06.2025
 
Reference to official Advisory Cert@VDE:
Further information on 'Lenze PLC Designer V4 with insecure storage of sensitive information' can be found in the advisory 'VDE-2025-043'. 

Patch installation:
Install the current version of PLC Designer V4. Follow the installation instructions in the corresponding Download AKB article.

Dependencies: 
The installation of PLC Designer V4.0.1 depends on the Windows operating system used. Please note the system requirements in the Download AKB article. 
 
Proof of use:
Check the installed version in the PLC Designer - see menu 'Help'à'About'. 
 
Risks if the patch is not applied:
Details on the risks can be found in the 'Impact' section of the official advisory.   

 

Description of the behavior:
The GDS password entered in parameter 0x2471:158 is readable. 
 
Conditions under which the behavior occurs: 
The behaviour described above occurs when the GDS password is set online. Online, the password is hidden by displaying *. After logging out (offline), the password is displayed in plain text.
 
Affected products:
PLC Designer V4.0.0 
 
Short-term measure, recommendations, evaluation: 
Use PLC Designer version 4.0.1 or higher.

[Automatic Translation]


URL for linking this AKB article: https://www.lenze.com/en-de/go/akb/202500188/1/
Metadaten
Taxonomy: PLC Designer V4.x
AKB-ID: 202500188
Last update: 2025/09/26
Category: Versions-Informationen

Lenze reserves the right to change information on this page at any time. Any liability for the accuracy of the information is excluded.
Kontaktformular