ADVISORY2025-03_VDE-2025-015
Vulnerability from csaf_codesysgmbh - Published: 2025-03-18 11:00 - Updated: 2025-06-05 13:31Summary
CODESYS Control V3 removable media path traversal
Notes
Summary: A low privileged attacker with physical access to a controller, that supports removable media and is running a CODESYS Control runtime system, can exploit the insufficient path validation by connecting removable media with a file system supporting symbolic links. This could allow the attacker to bypass SysFile restrictions and gain unauthorized access to the entire file system.
Impact: The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Runtimes that include the SysFile component can access the local file system using either the corresponding API or the file browser in the CODESYS Development System. By default, this access is restricted to the software's own dedicated working directory. Additionally, with User Management enabled by default, user authentication is required to access the file via the file browser or to download a PLC program. By using placeholders, that act like an environment variable to easily access configured paths, a whitelist inside and outside this own working directory can be configured. In certain configurations, a visible PlaceholderFilePath can be used to automatically enable access to removable media for the CODESYS controller runtime system. For more details, see the descriptions of the setting 'FilePath' and 'PlaceholderFilePath' in the CODESYS Control runtime system documentation.
This vulnerability is only relevant if the controller has a slot for removable media (other than the one used for the boot partition) and an attacker has physical access to the device. By connecting a removable media with a file system supporting symbolic links, that contains a symbolic link pointing to a directory outside the dedicated working directory, an authenticated attacker can bypass SysFile restrictions due to insufficient path validation and gain unauthorized access to the controller's file system. The level of access (read or write) depends on the privileges of both the runtime process and the user account, which is used by the attacker to authenticate at the CODESYS Control system.
CODESYS Control runtime systems are only affected by the vulnerability if both of the following conditions are met:
* The device has a slot for removable media, in addition to the boot partition, as this is the only way to actually exploit a symbolic link.
* A non-default CODESYS Control runtime configuration that includes a predefined 'PlaceholderFilePath' for removable media.
This applies to all products based on the CODESYS Runtime Toolkit, regardless of whether they are supplied by CODESYS or another device manufacturer.
Following CODESYS Control products are affected by default to this vulnerability due to a preconfigured volatile PlaceholderFilePath for removable media:
* CODESYS Control for BeagleBone SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for WAGO Touch Panels 600 SL
All other CODESYS Control runtime products are not affected by the vulnerability in the default configuration.
Note: CVE-2024-12429 describes a similar vulnerability that was originally reported for the products of an OEM customer.
Mitigation: Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the controller should only be granted to authorized persons. Especially in the case of productive control systems, physical manipulation of the controller can affect the controlled machine or process. This generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access.
To exploit this vulnerability, a successful login to the affected product is required. The online user management therefore protects from exploiting this security vulnerability. CODESYS GmbH strongly recommends using the online user management, which is enforced by default. This not only prevents from accessing the file system with malicious symbolic links, but also suppresses modifying the PLC application, or starting, stopping, debugging or other actions on a known working PLC application that could potentially disrupt a machine or system.
To fully mitigate this vulnerability, system administrators can restrict the use of removable media to devices that do not support symbolic links, such as FAT16 or FAT32. Since these file systems lack symbolic link functionality, this effectively prevents any symbolic link-based attacks.
Alternatively, remove PlaceHolderFilePath settings from the CODESYS Control configuration file, which point to removable media such as:
[SysFile]
PlaceholderFilePath.1=/media/usb, $USB$
Remediation: Update the following products to version 3.5.21.0.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS Runtime Toolkit
Update the following products to version 4.15.0.0.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL
If removable media is configured for the CODESYS Control runtime, make sure that any additional removable storage beyond the boot partition is set as volatile in the CODESYS Control configuration file with the entry "PlaceholderFilePath.<n>.Volatile=1". Then the fixed CODESYS Control runtime systems ensure that only configured/permitted paths can be accessed, even with a symbolic link on a removable media. Example:
[SysFile]
PlaceholderFilePath.1=/media/usb, $USB$
PlaceholderFilePath.1.View=1
PlaceholderFilePath.1.Volatile=1
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.
General Recommendation: As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice
defense measures:
* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
* Use firewalls to protect and separate the control system network from other networks
* Activate and apply user management and password features
* Limit the access to both development and control system by physical means, operating system features, etc.
* Use encrypted communication links
* Use VPN (Virtual Private Networks) tunnels if remote access is required
* Protect both development and control system by using up to date virus detecting solutions
For more information and general recommendations for protecting machines and plants, see also the
CODESYS Security Whitepaper [here.](https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)
Disclaimer: CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses
that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.
Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or
liability on the part of CODESYS GmbH.
Note: Not all CODESYS features are available in all territories. For more information on geographic restrictions,
please contact sales@codesys.com.
Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access.
6.6 (Medium)
Mitigation
Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the controller should only be granted to authorized persons. Especially in the case of productive control systems, physical manipulation of the controller can affect the controlled machine or process. This generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access.
To exploit this vulnerability, a successful login to the affected product is required. The online user management therefore protects from exploiting this security vulnerability. CODESYS GmbH strongly recommends using the online user management, which is enforced by default. This not only prevents from accessing the file system with malicious symbolic links, but also suppresses modifying the PLC application, or starting, stopping, debugging or other actions on a known working PLC application that could potentially disrupt a machine or system.
To fully mitigate this vulnerability, system administrators can restrict the use of removable media to devices that do not support symbolic links, such as FAT16 or FAT32. Since these file systems lack symbolic link functionality, this effectively prevents any symbolic link-based attacks.
Alternatively, remove PlaceHolderFilePath settings from the CODESYS Control configuration file, which point to removable media such as:
[SysFile]
PlaceholderFilePath.1=/media/usb, $USB$
Vendor Fix
Update the following products to version 3.5.21.0.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS Runtime Toolkit
If removable media is configured for the CODESYS Control runtime, make sure that any additional removable storage beyond the boot partition is set as volatile in the CODESYS Control configuration file with the entry "PlaceholderFilePath.<n>.Volatile=1". Then the fixed CODESYS Control runtime systems ensure that only configured/permitted paths can be accessed, even with a symbolic link on a removable media. Example:
[SysFile]
PlaceholderFilePath.1=/media/usb, $USB$
PlaceholderFilePath.1.View=1
PlaceholderFilePath.1.Volatile=1
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.
Vendor Fix
Update the following products to version 4.15.0.0.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL
If removable media is configured for the CODESYS Control runtime, make sure that any additional removable storage beyond the boot partition is set as volatile in the CODESYS Control configuration file with the entry "PlaceholderFilePath.<n>.Volatile=1". Then the fixed CODESYS Control runtime systems ensure that only configured/permitted paths can be accessed, even with a symbolic link on a removable media. Example:
[SysFile]
PlaceholderFilePath.1=/media/usb, $USB$
PlaceholderFilePath.1.View=1
PlaceholderFilePath.1.Volatile=1
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.
References
Acknowledgments
CERT@VDE
certvde.com
CyberDanube
D. Blagojevic, S.Dietz and T. Weber
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"D. Blagojevic, S.Dietz and T. Weber"
],
"organization": "CyberDanube",
"summary": "reporting"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "A low privileged attacker with physical access to a controller, that supports removable media and is running a CODESYS Control runtime system, can exploit the insufficient path validation by connecting removable media with a file system supporting symbolic links. This could allow the attacker to bypass SysFile restrictions and gain unauthorized access to the entire file system.",
"title": "Summary"
},
{
"category": "description",
"text": "The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Runtimes that include the SysFile component can access the local file system using either the corresponding API or the file browser in the CODESYS Development System. By default, this access is restricted to the software\u0027s own dedicated working directory. Additionally, with User Management enabled by default, user authentication is required to access the file via the file browser or to download a PLC program. By using placeholders, that act like an environment variable to easily access configured paths, a whitelist inside and outside this own working directory can be configured. In certain configurations, a visible PlaceholderFilePath can be used to automatically enable access to removable media for the CODESYS controller runtime system. For more details, see the descriptions of the setting \u0027FilePath\u0027 and \u0027PlaceholderFilePath\u0027 in the CODESYS Control runtime system documentation.\n\nThis vulnerability is only relevant if the controller has a slot for removable media (other than the one used for the boot partition) and an attacker has physical access to the device. By connecting a removable media with a file system supporting symbolic links, that contains a symbolic link pointing to a directory outside the dedicated working directory, an authenticated attacker can bypass SysFile restrictions due to insufficient path validation and gain unauthorized access to the controller\u0027s file system. The level of access (read or write) depends on the privileges of both the runtime process and the user account, which is used by the attacker to authenticate at the CODESYS Control system.\n\nCODESYS Control runtime systems are only affected by the vulnerability if both of the following conditions are met:\n* The device has a slot for removable media, in addition to the boot partition, as this is the only way to actually exploit a symbolic link.\n* A non-default CODESYS Control runtime configuration that includes a predefined \u0027PlaceholderFilePath\u0027 for removable media.\n\nThis applies to all products based on the CODESYS Runtime Toolkit, regardless of whether they are supplied by CODESYS or another device manufacturer.\n\nFollowing CODESYS Control products are affected by default to this vulnerability due to a preconfigured volatile PlaceholderFilePath for removable media:\n* CODESYS Control for BeagleBone SL\n* CODESYS Control for PFC100 SL\n* CODESYS Control for PFC200 SL\n* CODESYS Control for WAGO Touch Panels 600 SL\n\nAll other CODESYS Control runtime products are not affected by the vulnerability in the default configuration.\nNote: CVE-2024-12429 describes a similar vulnerability that was originally reported for the products of an OEM customer.",
"title": "Impact"
},
{
"category": "description",
"text": "Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the controller should only be granted to authorized persons. Especially in the case of productive control systems, physical manipulation of the controller can affect the controlled machine or process. This generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access.\n\nTo exploit this vulnerability, a successful login to the affected product is required. The online user management therefore protects from exploiting this security vulnerability. CODESYS GmbH strongly recommends using the online user management, which is enforced by default. This not only prevents from accessing the file system with malicious symbolic links, but also suppresses modifying the PLC application, or starting, stopping, debugging or other actions on a known working PLC application that could potentially disrupt a machine or system.\n\nTo fully mitigate this vulnerability, system administrators can restrict the use of removable media to devices that do not support symbolic links, such as FAT16 or FAT32. Since these file systems lack symbolic link functionality, this effectively prevents any symbolic link-based attacks.\n\nAlternatively, remove PlaceHolderFilePath settings from the CODESYS Control configuration file, which point to removable media such as:\n\n [SysFile]\n PlaceholderFilePath.1=/media/usb, $USB$",
"title": "Mitigation"
},
{
"category": "description",
"text": "Update the following products to version 3.5.21.0.\n* CODESYS Control RTE (SL)\n* CODESYS Control RTE (for Beckhoff CX) SL\n* CODESYS Control Win (SL)\n* CODESYS Runtime Toolkit\n\nUpdate the following products to version 4.15.0.0.\n* CODESYS Control for BeagleBone SL\n* CODESYS Control for emPC-A/iMX6 SL\n* CODESYS Control for IOT2000 SL\n* CODESYS Control for Linux ARM SL\n* CODESYS Control for Linux SL\n* CODESYS Control for PFC100 SL\n* CODESYS Control for PFC200 SL\n* CODESYS Control for PLCnext SL\n* CODESYS Control for Raspberry Pi SL\n* CODESYS Control for WAGO Touch Panels 600 SL\n* CODESYS Virtual Control SL\n\nIf removable media is configured for the CODESYS Control runtime, make sure that any additional removable storage beyond the boot partition is set as volatile in the CODESYS Control configuration file with the entry \"PlaceholderFilePath.\u003cn\u003e.Volatile=1\". Then the fixed CODESYS Control runtime systems ensure that only configured/permitted paths can be accessed, even with a symbolic link on a removable media. Example:\n\n [SysFile]\n PlaceholderFilePath.1=/media/usb, $USB$\n PlaceholderFilePath.1.View=1\n PlaceholderFilePath.1.Volatile=1\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.",
"title": "Remediation"
},
{
"category": "general",
"text": "As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice\ndefense measures:\n\n* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside\n* Use firewalls to protect and separate the control system network from other networks\n* Activate and apply user management and password features\n* Limit the access to both development and control system by physical means, operating system features, etc.\n* Use encrypted communication links\n* Use VPN (Virtual Private Networks) tunnels if remote access is required\n* Protect both development and control system by using up to date virus detecting solutions\n\nFor more information and general recommendations for protecting machines and plants, see also the\nCODESYS Security Whitepaper [here.](https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)",
"title": "General Recommendation"
},
{
"category": "legal_disclaimer",
"text": "CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses\nthat occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.\nInsofar as permissible by law, however, none of this information shall establish any guarantee, commitment or\nliability on the part of CODESYS GmbH.\n\nNote: Not all CODESYS features are available in all territories. For more information on geographic restrictions,\nplease contact sales@codesys.com.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security@codesys.com",
"name": "CODESYS GmbH",
"namespace": "https://www.codesys.com"
},
"references": [
{
"category": "external",
"summary": "CERT@VDE Security Advisories for CODESYS GmbH",
"url": "https://certvde.com/en/advisories/vendor/codesys"
},
{
"category": "self",
"summary": "Advisory2025-03_VDE-2025-015: CODESYS Control V3 removable media path traversal - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-015/"
},
{
"category": "self",
"summary": "Advisory2025-03_VDE-2025-015: CODESYS Control V3 removable media path traversal - CSAF",
"url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2025/advisory2025-03_vde-2025-015.json"
},
{
"category": "external",
"summary": "CODESYS Security Advisories",
"url": "https://www.codesys.com/security/security-reports.html"
},
{
"category": "self",
"summary": "Advisory2025-03_VDE-2025-015: CODESYS Control V3 removable media path traversal - PDF",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=18831\u0026token=cd579991c6621f86d4333df35d00c0f1ade02777\u0026download="
}
],
"title": "CODESYS Control V3 removable media path traversal",
"tracking": {
"aliases": [
"VDE-2025-015",
"CODESYS Security Advisory 2025-03"
],
"current_release_date": "2025-06-05T13:31:01.000Z",
"generator": {
"date": "2025-03-27T10:48:06.171Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.21"
}
},
"id": "Advisory2025-03_VDE-2025-015",
"initial_release_date": "2025-03-18T11:00:00.000Z",
"revision_history": [
{
"date": "2025-03-18T11:00:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-04-03T10:00:00.000Z",
"number": "2",
"summary": "Removed version 4.16.0.0 as 4.15.0.0 version includes the fixes."
},
{
"date": "2025-06-05T13:31:01.000Z",
"number": "3",
"summary": "Fix: quotation mark"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.5.21.0",
"product": {
"name": "CODESYS Control RTE (SL) \u003c3.5.21.0",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "3.5.21.0",
"product": {
"name": "CODESYS Control RTE (SL) 3.5.21.0",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "CODESYS Control RTE (SL)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.5.21.0",
"product": {
"name": "CODESYS Control RTE (for Beckhoff CX) SL \u003c3.5.21.0",
"product_id": "CSAFPID-51002"
}
},
{
"category": "product_version",
"name": "3.5.21.0",
"product": {
"name": "CODESYS Control RTE (for Beckhoff CX) SL 3.5.21.0",
"product_id": "CSAFPID-52002"
}
}
],
"category": "product_name",
"name": "CODESYS Control RTE (for Beckhoff CX) SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.5.21.0",
"product": {
"name": "CODESYS Control Win (SL) \u003c3.5.21.0",
"product_id": "CSAFPID-51003"
}
},
{
"category": "product_version",
"name": "3.5.21.0",
"product": {
"name": "CODESYS Control Win (SL) 3.5.21.0",
"product_id": "CSAFPID-52003"
}
}
],
"category": "product_name",
"name": "CODESYS Control Win (SL)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.5.21.0",
"product": {
"name": "CODESYS Runtime Toolkit \u003c3.5.21.0",
"product_id": "CSAFPID-51004"
}
},
{
"category": "product_version",
"name": "3.5.21.0",
"product": {
"name": "CODESYS Runtime Toolkit 3.5.21.0",
"product_id": "CSAFPID-52004"
}
}
],
"category": "product_name",
"name": "CODESYS Runtime Toolkit"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Control for BeagleBone SL \u003c4.15.0.0",
"product_id": "CSAFPID-51005"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CODESYS Control for BeagleBone SL 4.15.0.0",
"product_id": "CSAFPID-52005"
}
}
],
"category": "product_name",
"name": "CODESYS Control for BeagleBone SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Control for emPC-A/iMX6 SL \u003c4.15.0.0",
"product_id": "CSAFPID-51006"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CODESYS Control for emPC-A/iMX6 SL 4.15.0.0",
"product_id": "CSAFPID-52006"
}
}
],
"category": "product_name",
"name": "CODESYS Control for emPC-A/iMX6 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Control for IOT2000 SL \u003c4.15.0.0",
"product_id": "CSAFPID-51007"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CODESYS Control for IOT2000 SL 4.15.0.0",
"product_id": "CSAFPID-52007"
}
}
],
"category": "product_name",
"name": "CODESYS Control for IOT2000 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Control for Linux ARM SL \u003c4.15.0.0",
"product_id": "CSAFPID-51008"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CCODESYS Control for Linux ARM SL 4.15.0.0",
"product_id": "CSAFPID-52008"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Linux ARM SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Control for Linux SL \u003c4.15.0.0",
"product_id": "CSAFPID-51009"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CODESYS Control for Linux SL 4.15.0.0",
"product_id": "CSAFPID-52009"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Linux SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Control for PFC100 SL \u003c4.15.0.0",
"product_id": "CSAFPID-51010"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CODESYS Control for PFC100 SL 4.15.0.0",
"product_id": "CSAFPID-52010"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PFC100 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Control for PFC200 SL \u003c4.15.0.0",
"product_id": "CSAFPID-51011"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CODESYS Control for PFC200 SL 4.15.0.0",
"product_id": "CSAFPID-52011"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PFC200 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Control for PLCnext SL \u003c4.15.0.0",
"product_id": "CSAFPID-51012"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CODESYS Control for PLCnext SL 4.15.0.0",
"product_id": "CSAFPID-52012"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PLCnext SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Control for Raspberry Pi SL \u003c4.15.0.0",
"product_id": "CSAFPID-51013"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CODESYS Control for Raspberry Pi SL 4.15.0.0",
"product_id": "CSAFPID-52013"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Raspberry Pi SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Control for WAGO Touch Panels 600 SL \u003c4.15.0.0",
"product_id": "CSAFPID-51014"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CODESYS Control for WAGO Touch Panels 600 SL 4.15.0.0",
"product_id": "CSAFPID-52014"
}
}
],
"category": "product_name",
"name": "CODESYS Control for WAGO Touch Panels 600 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.15.0.0",
"product": {
"name": "CODESYS Virtual Control SL \u003c4.15.0.0",
"product_id": "CSAFPID-51015"
}
},
{
"category": "product_version",
"name": "4.15.0.0",
"product": {
"name": "CODESYS Virtual Control SL 4.15.0.0",
"product_id": "CSAFPID-52015"
}
}
],
"category": "product_name",
"name": "CODESYS Virtual Control SL"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "CODESYS"
}
],
"product_groups": [
{
"group_id": "CSAFGID-1001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004"
],
"summary": "Affected products v3.5.x."
},
{
"group_id": "CSAFGID-2001",
"product_ids": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004"
],
"summary": "Fixed products v3.5.x."
},
{
"group_id": "CSAFGID-1002",
"product_ids": [
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012",
"CSAFPID-51013",
"CSAFPID-51014",
"CSAFPID-51015"
],
"summary": "Affected products v4.x."
},
{
"group_id": "CSAFGID-2002",
"product_ids": [
"CSAFPID-52005",
"CSAFPID-52006",
"CSAFPID-52007",
"CSAFPID-52008",
"CSAFPID-52009",
"CSAFPID-52010",
"CSAFPID-52011",
"CSAFPID-52012",
"CSAFPID-52013",
"CSAFPID-52014",
"CSAFPID-52015"
],
"summary": "Fixed products v4.x."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-0694",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006",
"CSAFPID-52007",
"CSAFPID-52008",
"CSAFPID-52009",
"CSAFPID-52010",
"CSAFPID-52011",
"CSAFPID-52012",
"CSAFPID-52013",
"CSAFPID-52014",
"CSAFPID-52015"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012",
"CSAFPID-51013",
"CSAFPID-51014",
"CSAFPID-51015"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Regardless of the vulnerability described here, CODESYS GmbH recommends that physical access to the controller should only be granted to authorized persons. Especially in the case of productive control systems, physical manipulation of the controller can affect the controlled machine or process. This generally recommended restriction of access also reduces the attack surface for this vulnerability, as its exploitation requires physical access.\n\nTo exploit this vulnerability, a successful login to the affected product is required. The online user management therefore protects from exploiting this security vulnerability. CODESYS GmbH strongly recommends using the online user management, which is enforced by default. This not only prevents from accessing the file system with malicious symbolic links, but also suppresses modifying the PLC application, or starting, stopping, debugging or other actions on a known working PLC application that could potentially disrupt a machine or system.\n\nTo fully mitigate this vulnerability, system administrators can restrict the use of removable media to devices that do not support symbolic links, such as FAT16 or FAT32. Since these file systems lack symbolic link functionality, this effectively prevents any symbolic link-based attacks.\n\nAlternatively, remove PlaceHolderFilePath settings from the CODESYS Control configuration file, which point to removable media such as:\n\n [SysFile]\n PlaceholderFilePath.1=/media/usb, $USB$\n",
"group_ids": [
"CSAFGID-1001",
"CSAFGID-1002"
]
},
{
"category": "vendor_fix",
"details": "Update the following products to version 3.5.21.0.\n* CODESYS Control RTE (SL)\n* CODESYS Control RTE (for Beckhoff CX) SL\n* CODESYS Control Win (SL)\n* CODESYS Runtime Toolkit\n\nIf removable media is configured for the CODESYS Control runtime, make sure that any additional removable storage beyond the boot partition is set as volatile in the CODESYS Control configuration file with the entry \"PlaceholderFilePath.\u003cn\u003e.Volatile=1\". Then the fixed CODESYS Control runtime systems ensure that only configured/permitted paths can be accessed, even with a symbolic link on a removable media. Example:\n\n [SysFile]\n PlaceholderFilePath.1=/media/usb, $USB$\n PlaceholderFilePath.1.View=1\n PlaceholderFilePath.1.Volatile=1\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.",
"group_ids": [
"CSAFGID-2001"
]
},
{
"category": "vendor_fix",
"details": "Update the following products to version 4.15.0.0.\n* CODESYS Control for BeagleBone SL\n* CODESYS Control for emPC-A/iMX6 SL\n* CODESYS Control for IOT2000 SL\n* CODESYS Control for Linux ARM SL\n* CODESYS Control for Linux SL\n* CODESYS Control for PFC100 SL\n* CODESYS Control for PFC200 SL\n* CODESYS Control for PLCnext SL\n* CODESYS Control for Raspberry Pi SL\n* CODESYS Control for WAGO Touch Panels 600 SL\n* CODESYS Virtual Control SL\n\nIf removable media is configured for the CODESYS Control runtime, make sure that any additional removable storage beyond the boot partition is set as volatile in the CODESYS Control configuration file with the entry \"PlaceholderFilePath.\u003cn\u003e.Volatile=1\". Then the fixed CODESYS Control runtime systems ensure that only configured/permitted paths can be accessed, even with a symbolic link on a removable media. Example:\n\n [SysFile]\n PlaceholderFilePath.1=/media/usb, $USB$\n PlaceholderFilePath.1.View=1\n PlaceholderFilePath.1.Volatile=1 \n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download.",
"group_ids": [
"CSAFGID-2002"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 6.6,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 6.6,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012",
"CSAFPID-51013",
"CSAFPID-51014",
"CSAFPID-51015"
]
}
],
"title": "CVE-2025-0694"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…