Search criteria
6 vulnerabilities found for Control Win (SL) by CODESYS
CVE-2025-41691 (GCVE-0-2025-41691)
Vulnerability from nvd – Published: 2025-08-04 08:04 – Updated: 2025-08-04 16:32
VLAI
Title
CODESYS Control DoS via Unauthenticated NULL Pointer Dereference
Summary
An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
1 reference
Impacted products
15 products
| Vendor | Product | Version | |
|---|---|---|---|
| CODESYS | Control RTE (SL) |
Affected:
3.5.21.10 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control RTE (for Beckhoff CX) SL |
Affected:
3.5.21.10 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control Win (SL) |
Affected:
3.5.21.10 , < 3.5.21.20
(semver)
|
|
| CODESYS | HMI (SL) |
Affected:
3.5.21.10 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control for BeagleBone SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for emPC-A/iMX6 SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for IOT2000 SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Linux ARM SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Linux SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PFC100 SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PFC200 SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PLCnext SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Raspberry Pi SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for WAGO Touch Panels 600 SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Virtual Control SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T16:28:09.392670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T16:32:30.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Control RTE (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "3.5.21.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control RTE (for Beckhoff CX) SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "3.5.21.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control Win (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "3.5.21.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "HMI (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "3.5.21.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for BeagleBone SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for emPC-A/iMX6 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for IOT2000 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Linux ARM SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Linux SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PFC100 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PFC200 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PLCnext SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Raspberry Pi SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for WAGO Touch Panels 600 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Virtual Control SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition.\u003cbr\u003e"
}
],
"value": "An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T08:04:34.981Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://certvde.com/de/advisories/VDE-2025-070"
}
],
"source": {
"advisory": "VDE-2025-070",
"defect": [
"CERT@VDE#641834"
],
"discovery": "UNKNOWN"
},
"title": "CODESYS Control DoS via Unauthenticated NULL Pointer Dereference",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41691",
"datePublished": "2025-08-04T08:04:34.981Z",
"dateReserved": "2025-04-16T11:17:48.309Z",
"dateUpdated": "2025-08-04T16:32:30.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41659 (GCVE-0-2025-41659)
Vulnerability from nvd – Published: 2025-08-04 08:04 – Updated: 2025-08-04 16:35
VLAI
Title
CODESYS Control PKI Exposure Enables Remote Certificate Access
Summary
A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
1 reference
Impacted products
16 products
| Vendor | Product | Version | |
|---|---|---|---|
| CODESYS | Control RTE (SL) |
Affected:
0.0.0.0 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control RTE (for Beckhoff CX) SL |
Affected:
0.0.0.0 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control Win (SL) |
Affected:
0.0.0.0 , < 3.5.21.20
(semver)
|
|
| CODESYS | HMI (SL) |
Affected:
0.0.0.0 , < 3.5.21.20
(semver)
|
|
| CODESYS | Runtime Toolkit |
Affected:
0.0.0.0 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control for BeagleBone SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for emPC-A/iMX6 SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for IOT2000 SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Linux ARM SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Linux SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PFC100 SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PFC200 SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PLCnext SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Raspberry Pi SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for WAGO Touch Panels 600 SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Virtual Control SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T16:34:47.316036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T16:35:32.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Control RTE (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control RTE (for Beckhoff CX) SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control Win (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "HMI (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Runtime Toolkit",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for BeagleBone SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for emPC-A/iMX6 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for IOT2000 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Linux ARM SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Linux SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PFC100 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PFC200 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PLCnext SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Raspberry Pi SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for WAGO Touch Panels 600 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Virtual Control SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Luca Borzacchiello from Nozomi Networks"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.\u003cbr\u003e"
}
],
"value": "A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T08:04:04.597Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://certvde.com/de/advisories/VDE-2025-051"
}
],
"source": {
"advisory": "VDE-2025-051",
"defect": [
"CERT@VDE#641801"
],
"discovery": "UNKNOWN"
},
"title": "CODESYS Control PKI Exposure Enables Remote Certificate Access",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41659",
"datePublished": "2025-08-04T08:04:04.597Z",
"dateReserved": "2025-04-16T11:17:48.307Z",
"dateUpdated": "2025-08-04T16:35:32.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4224 (GCVE-0-2022-4224)
Vulnerability from nvd – Published: 2023-03-23 11:15 – Updated: 2026-05-29 14:08
VLAI
Title
CODESYS: Exposure of Resource to Wrong Sphere in CODESYS V3
Summary
In multiple products of CODESYS v3 in multiple versions a remote low privileged user could utilize this vulnerability to read and modify system files and OS resources or DoS the device.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1188 - Insecure Default Initialization of Resource
Assigner
References
1 reference
Impacted products
17 products
| Vendor | Product | Version | |
|---|---|---|---|
| CODESYS | Control RTE (SL) |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Control RTE (for Beckhoff CX) SL |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Control Win (SL) |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Runtime Toolkit |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Safety SIL2 Runtime Toolkit |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Safety SIL2 PSP |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | HMI (SL) |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Development System V3 |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Control for BeagleBone SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for emPC-A/iMX6 SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for IOT2000 SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for Linux SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for PFC100 SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for PFC200 SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for PLCnext SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for Raspberry Pi SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for WAGO Touch Panels 600 SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:34:49.591Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17553\u0026token=cf49757d232ea8021f0c0dd6c65e71ea5942b12d\u0026download="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T14:07:26.160566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:08:13.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Control RTE (SL) ",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control RTE (for Beckhoff CX) SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control Win (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": " Runtime Toolkit ",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Safety SIL2 Runtime Toolkit",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Safety SIL2 PSP",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "HMI (SL) ",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Development System V3",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": " Control for BeagleBone SL ",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for emPC-A/iMX6 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for IOT2000 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Linux SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": " Control for PFC100 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": " Control for PFC200 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PLCnext SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Raspberry Pi SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for WAGO Touch Panels 600 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Franklin Zhao from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Reid Wightman of Dragos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In multiple products of CODESYS v3 in multiple versions a remote low privileged user\u0026nbsp;could utilize this vulnerability to read and modify system files and OS resources or DoS the device."
}
],
"value": "In multiple products of CODESYS v3 in multiple versions a remote low privileged user\u00a0could utilize this vulnerability to read and modify system files and OS resources or DoS the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188 Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-09T10:47:13.144Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17553\u0026token=cf49757d232ea8021f0c0dd6c65e71ea5942b12d\u0026download="
}
],
"source": {
"defect": [
"CERT@VDE#64318"
],
"discovery": "EXTERNAL"
},
"title": "CODESYS: Exposure of Resource to Wrong Sphere in CODESYS V3",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-4224",
"datePublished": "2023-03-23T11:15:37.014Z",
"dateReserved": "2022-11-30T06:54:13.183Z",
"dateUpdated": "2026-05-29T14:08:13.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41691 (GCVE-0-2025-41691)
Vulnerability from cvelistv5 – Published: 2025-08-04 08:04 – Updated: 2025-08-04 16:32
VLAI
Title
CODESYS Control DoS via Unauthenticated NULL Pointer Dereference
Summary
An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
1 reference
Impacted products
15 products
| Vendor | Product | Version | |
|---|---|---|---|
| CODESYS | Control RTE (SL) |
Affected:
3.5.21.10 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control RTE (for Beckhoff CX) SL |
Affected:
3.5.21.10 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control Win (SL) |
Affected:
3.5.21.10 , < 3.5.21.20
(semver)
|
|
| CODESYS | HMI (SL) |
Affected:
3.5.21.10 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control for BeagleBone SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for emPC-A/iMX6 SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for IOT2000 SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Linux ARM SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Linux SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PFC100 SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PFC200 SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PLCnext SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Raspberry Pi SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for WAGO Touch Panels 600 SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Virtual Control SL |
Affected:
4.16.0.0 , < 4.17.0.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T16:28:09.392670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T16:32:30.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Control RTE (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "3.5.21.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control RTE (for Beckhoff CX) SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "3.5.21.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control Win (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "3.5.21.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "HMI (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "3.5.21.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for BeagleBone SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for emPC-A/iMX6 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for IOT2000 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Linux ARM SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Linux SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PFC100 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PFC200 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PLCnext SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Raspberry Pi SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for WAGO Touch Panels 600 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Virtual Control SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "4.16.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition.\u003cbr\u003e"
}
],
"value": "An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T08:04:34.981Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://certvde.com/de/advisories/VDE-2025-070"
}
],
"source": {
"advisory": "VDE-2025-070",
"defect": [
"CERT@VDE#641834"
],
"discovery": "UNKNOWN"
},
"title": "CODESYS Control DoS via Unauthenticated NULL Pointer Dereference",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41691",
"datePublished": "2025-08-04T08:04:34.981Z",
"dateReserved": "2025-04-16T11:17:48.309Z",
"dateUpdated": "2025-08-04T16:32:30.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41659 (GCVE-0-2025-41659)
Vulnerability from cvelistv5 – Published: 2025-08-04 08:04 – Updated: 2025-08-04 16:35
VLAI
Title
CODESYS Control PKI Exposure Enables Remote Certificate Access
Summary
A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
1 reference
Impacted products
16 products
| Vendor | Product | Version | |
|---|---|---|---|
| CODESYS | Control RTE (SL) |
Affected:
0.0.0.0 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control RTE (for Beckhoff CX) SL |
Affected:
0.0.0.0 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control Win (SL) |
Affected:
0.0.0.0 , < 3.5.21.20
(semver)
|
|
| CODESYS | HMI (SL) |
Affected:
0.0.0.0 , < 3.5.21.20
(semver)
|
|
| CODESYS | Runtime Toolkit |
Affected:
0.0.0.0 , < 3.5.21.20
(semver)
|
|
| CODESYS | Control for BeagleBone SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for emPC-A/iMX6 SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for IOT2000 SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Linux ARM SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Linux SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PFC100 SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PFC200 SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for PLCnext SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for Raspberry Pi SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Control for WAGO Touch Panels 600 SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
|
| CODESYS | Virtual Control SL |
Affected:
0.0.0.0 , < 4.17.0.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T16:34:47.316036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T16:35:32.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Control RTE (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control RTE (for Beckhoff CX) SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control Win (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "HMI (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Runtime Toolkit",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.21.20",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for BeagleBone SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for emPC-A/iMX6 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for IOT2000 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Linux ARM SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Linux SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PFC100 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PFC200 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PLCnext SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Raspberry Pi SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for WAGO Touch Panels 600 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Virtual Control SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.17.0.0",
"status": "affected",
"version": "0.0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Luca Borzacchiello from Nozomi Networks"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.\u003cbr\u003e"
}
],
"value": "A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T08:04:04.597Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://certvde.com/de/advisories/VDE-2025-051"
}
],
"source": {
"advisory": "VDE-2025-051",
"defect": [
"CERT@VDE#641801"
],
"discovery": "UNKNOWN"
},
"title": "CODESYS Control PKI Exposure Enables Remote Certificate Access",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41659",
"datePublished": "2025-08-04T08:04:04.597Z",
"dateReserved": "2025-04-16T11:17:48.307Z",
"dateUpdated": "2025-08-04T16:35:32.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4224 (GCVE-0-2022-4224)
Vulnerability from cvelistv5 – Published: 2023-03-23 11:15 – Updated: 2026-05-29 14:08
VLAI
Title
CODESYS: Exposure of Resource to Wrong Sphere in CODESYS V3
Summary
In multiple products of CODESYS v3 in multiple versions a remote low privileged user could utilize this vulnerability to read and modify system files and OS resources or DoS the device.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1188 - Insecure Default Initialization of Resource
Assigner
References
1 reference
Impacted products
17 products
| Vendor | Product | Version | |
|---|---|---|---|
| CODESYS | Control RTE (SL) |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Control RTE (for Beckhoff CX) SL |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Control Win (SL) |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Runtime Toolkit |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Safety SIL2 Runtime Toolkit |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Safety SIL2 PSP |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | HMI (SL) |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Development System V3 |
Affected:
3.0.0.0 , < 3.5.19.0
(custom)
|
|
| CODESYS | Control for BeagleBone SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for emPC-A/iMX6 SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for IOT2000 SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for Linux SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for PFC100 SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for PFC200 SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for PLCnext SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for Raspberry Pi SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
|
| CODESYS | Control for WAGO Touch Panels 600 SL |
Affected:
3.0.0.0 , < 4.8.0.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:34:49.591Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17553\u0026token=cf49757d232ea8021f0c0dd6c65e71ea5942b12d\u0026download="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T14:07:26.160566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:08:13.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Control RTE (SL) ",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control RTE (for Beckhoff CX) SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control Win (SL)",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": " Runtime Toolkit ",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Safety SIL2 Runtime Toolkit",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Safety SIL2 PSP",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "HMI (SL) ",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Development System V3",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "3.5.19.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": " Control for BeagleBone SL ",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for emPC-A/iMX6 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for IOT2000 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Linux SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": " Control for PFC100 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": " Control for PFC200 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for PLCnext SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for Raspberry Pi SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Control for WAGO Touch Panels 600 SL",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.8.0.0",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Franklin Zhao from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Reid Wightman of Dragos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In multiple products of CODESYS v3 in multiple versions a remote low privileged user\u0026nbsp;could utilize this vulnerability to read and modify system files and OS resources or DoS the device."
}
],
"value": "In multiple products of CODESYS v3 in multiple versions a remote low privileged user\u00a0could utilize this vulnerability to read and modify system files and OS resources or DoS the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188 Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-09T10:47:13.144Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17553\u0026token=cf49757d232ea8021f0c0dd6c65e71ea5942b12d\u0026download="
}
],
"source": {
"defect": [
"CERT@VDE#64318"
],
"discovery": "EXTERNAL"
},
"title": "CODESYS: Exposure of Resource to Wrong Sphere in CODESYS V3",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-4224",
"datePublished": "2023-03-23T11:15:37.014Z",
"dateReserved": "2022-11-30T06:54:13.183Z",
"dateUpdated": "2026-05-29T14:08:13.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}