Do PLCs run a common intermediate language under the hood?

[Thomas_v2]

In the newer S7-1200/1500 I am quite certain that the code is compiled to something very close to the machine code. When loading the code on the CPU, both debug information and a copy of the source code is loaded as well (since nowadays memory is cheap). Because of that you can upload the program and get both code, comments and symbols.

The 1200/1500 compile to an intermediate language, MC7+. On the Plc it runs inside a protected sandbox. Underlying is a Siemens custom operating system (kernel), which runs in case of a S7-1200 on an ARM Cortex R4.

Siemens has fixed a security vulnerability last week. With some special crafted MC7+ commands an attacker was able to break out of the sandbox, and read out the complete memory of the Plc from the Plc program, including operating system, private keys for tls and so on.

In the old S7-300/S7-400 were some CPU which has a special ASIC which speaks MC7 native. The S7 clones from Vipa had the Speed7 processor which also speaks native MC7.