ADVISORY2025-06_VDE-2025-049
Vulnerability from csaf_codesysgmbh - Published: 2025-08-04 10:00 - Updated: 2025-08-04 10:00Summary
CODESYS Control V3 - Insecure default permissions
Severity
Medium
Notes
Summary: On certain operating systems (e.g., Linux), default file system permissions may allow read access to the files of the CODESYS Control runtime system for non-administrator users. The documentation provided with the CODESYS Runtime Toolkit does not explicitly address this risk. As a result, products based on the toolkit may unintentionally expose sensitive runtime files to local operating system users with limited privileges.
CODESYS Control runtime system based devices are affected if they provide access to the operating system (e.g., via a local user interface or SSH) and user accounts without administrator rights for this access exist or can be created.
Impact: The affected products do not explicitly restrict read permissions for other local operating system users, potentially allowing unauthorized access to sensitive runtime files.
Mitigation: If the CODESYS Control runtime system is operated on an operating system with multi-user support, other users may potentially gain access to runtime-related files. Thus, it is essential to configure the storage locations for CODESYS Control runtime files in accordance with the operating system's security best practices. These locations should, by default, restrict access to unauthorized users. If the operating system does not support such access control mechanisms or if implementing them is not feasible, an alternative approach is to explicitly revoke read and write permissions for all non-administrative users on the directories used by the CODESYS Control runtime system.
The following directories must be secured:
* The directory containing configuration files
* The directory containing binary files
* The working directory used by the runtime system
Note: Protecting individual files is not sufficient. The entire directories must be secured to ensure that any files created in the future are also protected.
Alternatively, where applicable, all non-administrative user accounts can be removed from the system, and their re-creation should be prevented. Additionally, it is recommended to disable remote access methods that allow file access (e.g., SSH) wherever possible, in order to reduce the overall attack surface.
Best practice recommendations for Linux and QNX Systems:
* Create a dedicated privileged group for accessing the above-mentioned directories, and add the user account under which the runtime process is executed to this group.
* Set the file system permissions for these directories to deny access to "other" users (e.g., chmod o-rx).
* If access for additional users is required, they can be added to the privileged group as needed.
Remediation: Version 3.5.21.20 of the following product provides an updated CODESYS Control V3 Runtime System Documentation:
* CODESYS Runtime Toolkit
In particular, Chapter 5 (Architecture Manual), Section 5.4 (Portings), Subsection 5.4.1 (Security Considerations), Subsection 5.4.1.1 (Operating System Folder Permissions) now provides detailed guidance for device manufacturers on how to address the described security vulnerability. The same information is also included as Mitigation in this advisory.
CODESYS GmbH strongly recommends that this guidance be followed in order to effectively close the security vulnerability on affected devices. Devices are particularly at risk if they offer direct access to the operating system (e.g., via a local user interface or SSH) in combination with the presence or possibility of creating non-administrator user accounts for such access.
Important: Updating the toolkit is not sufficient. For affected customer devices based on the CODESYS Runtime Toolkit the vulnerability needs to be resolved following the instructions in the mentioned documentation.
Update the following products to version 4.16.0.0.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL
For the updated CODESYS Control SL products, CODESYS GmbH has implemented the necessary measures to address the identified security vulnerability. As a result, access to the runtime directories is now restricted to the Linux user account under which the CODESYS Control runtime is executed. Access is explicitly denied to all other non-administrator users.
Note: Administrator users (e.g., root) may still retain access.
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
For the following product no fix is available.
* CODESYS Control for PLCnext SL
Since there is no fix available for this product, CODESYS GmbH strongly recommends removing all other existing non-administrator users of the operating system and preventing their re-creation in order to neutralize the security vulnerability.
General Recommendation: As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice
defense measures:
* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
* Use firewalls to protect and separate the control system network from other networks
* Activate and apply user management and password features
* Limit the access to both development and control system by physical means, operating system features, etc.
* Use encrypted communication links
* Use VPN (Virtual Private Networks) tunnels if remote access is required
* Protect both development and control system by using up to date virus detecting solutions
For more information and general recommendations for protecting machines and plants, see also the
CODESYS Security Whitepaper [here.](https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)
Disclaimer: CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses
that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.
Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or
liability on the part of CODESYS GmbH.
Note: Not all CODESYS features are available in all territories. For more information on geographic restrictions,
please contact sales@codesys.com.
CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions.
5.5 (Medium)
Mitigation
If the CODESYS Control runtime system is operated on an operating system with multi-user support, other users may potentially gain access to runtime-related files. Thus, it is essential to configure the storage locations for CODESYS Control runtime files in accordance with the operating system's security best practices. These locations should, by default, restrict access to unauthorized users. If the operating system does not support such access control mechanisms or if implementing them is not feasible, an alternative approach is to explicitly revoke read and write permissions for all non-administrative users on the directories used by the CODESYS Control runtime system.
The following directories must be secured:
* The directory containing configuration files
* The directory containing binary files
* The working directory used by the runtime system
Note: Protecting individual files is not sufficient. The entire directories must be secured to ensure that any files created in the future are also protected.
Alternatively, where applicable, all non-administrative user accounts can be removed from the system, and their re-creation should be prevented. Additionally, it is recommended to disable remote access methods that allow file access (e.g., SSH) wherever possible, in order to reduce the overall attack surface.
Best practice recommendations for Linux and QNX Systems:
* Create a dedicated privileged group for accessing the above-mentioned directories, and add the user account under which the runtime process is executed to this group.
* Set the file system permissions for these directories to deny access to "other" users (e.g., chmod o-rx).
* If access for additional users is required, they can be added to the privileged group as needed.
Vendor Fix
Update the following products to version 4.16.0.0.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL
For the updated CODESYS Control SL products, CODESYS GmbH has implemented the necessary measures to address the identified security vulnerability. As a result, access to the runtime directories is now restricted to the Linux user account under which the CODESYS Control runtime is executed. Access is explicitly denied to all other non-administrator users.
Note: Administrator users (e.g., root) may still retain access.
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
None Available
For the following product no fix is available.
* CODESYS Control for PLCnext SL
Since there is no fix available for this product, CODESYS GmbH strongly recommends removing all other existing non-administrator users of the operating system and preventing their re-creation in order to neutralize the security vulnerability.
Vendor Fix
Version 3.5.21.20 of the following product provides an updated CODESYS Control V3 Runtime System Documentation:
* CODESYS Runtime Toolkit
In particular, Chapter 5 (Architecture Manual), Section 5.4 (Portings), Subsection 5.4.1 (Security Considerations), Subsection 5.4.1.1 (Operating System Folder Permissions) now provides detailed guidance for device manufacturers on how to address the described security vulnerability. The same information is also included as Mitigation in this advisory.
CODESYS GmbH strongly recommends that this guidance be followed in order to effectively close the security vulnerability on affected devices. Devices are particularly at risk if they offer direct access to the operating system (e.g., via a local user interface or SSH) in combination with the presence or possibility of creating non-administrator user accounts for such access.
Important: Updating the toolkit is not sufficient. For affected customer devices based on the CODESYS Runtime Toolkit the vulnerability needs to be resolved following the instructions in the mentioned documentation.
References
Acknowledgments
CERT@VDE
certvde.com
Nozomi Networks
Luca Borzacchiello
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Luca Borzacchiello"
],
"organization": "Nozomi Networks",
"summary": "reporting"
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "Medium"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "On certain operating systems (e.g., Linux), default file system permissions may allow read access to the files of the CODESYS Control runtime system for non-administrator users. The documentation provided with the CODESYS Runtime Toolkit does not explicitly address this risk. As a result, products based on the toolkit may unintentionally expose sensitive runtime files to local operating system users with limited privileges.\n\nCODESYS Control runtime system based devices are affected if they provide access to the operating system (e.g., via a local user interface or SSH) and user accounts without administrator rights for this access exist or can be created.",
"title": "Summary"
},
{
"category": "description",
"text": "The affected products do not explicitly restrict read permissions for other local operating system users, potentially allowing unauthorized access to sensitive runtime files.",
"title": "Impact"
},
{
"category": "description",
"text": "If the CODESYS Control runtime system is operated on an operating system with multi-user support, other users may potentially gain access to runtime-related files. Thus, it is essential to configure the storage locations for CODESYS Control runtime files in accordance with the operating system\u0027s security best practices. These locations should, by default, restrict access to unauthorized users. If the operating system does not support such access control mechanisms or if implementing them is not feasible, an alternative approach is to explicitly revoke read and write permissions for all non-administrative users on the directories used by the CODESYS Control runtime system.\n\nThe following directories must be secured:\n* The directory containing configuration files\n* The directory containing binary files\n* The working directory used by the runtime system\n\nNote: Protecting individual files is not sufficient. The entire directories must be secured to ensure that any files created in the future are also protected.\n\nAlternatively, where applicable, all non-administrative user accounts can be removed from the system, and their re-creation should be prevented. Additionally, it is recommended to disable remote access methods that allow file access (e.g., SSH) wherever possible, in order to reduce the overall attack surface.\n\nBest practice recommendations for Linux and QNX Systems:\n* Create a dedicated privileged group for accessing the above-mentioned directories, and add the user account under which the runtime process is executed to this group.\n* Set the file system permissions for these directories to deny access to \"other\" users (e.g., chmod o-rx).\n* If access for additional users is required, they can be added to the privileged group as needed. \n",
"title": "Mitigation"
},
{
"category": "description",
"text": "Version 3.5.21.20 of the following product provides an updated CODESYS Control V3 Runtime System Documentation:\n* CODESYS Runtime Toolkit\n\nIn particular, Chapter 5 (Architecture Manual), Section 5.4 (Portings), Subsection 5.4.1 (Security Considerations), Subsection 5.4.1.1 (Operating System Folder Permissions) now provides detailed guidance for device manufacturers on how to address the described security vulnerability. The same information is also included as Mitigation in this advisory.\n\nCODESYS GmbH strongly recommends that this guidance be followed in order to effectively close the security vulnerability on affected devices. Devices are particularly at risk if they offer direct access to the operating system (e.g., via a local user interface or SSH) in combination with the presence or possibility of creating non-administrator user accounts for such access.\n\nImportant: Updating the toolkit is not sufficient. For affected customer devices based on the CODESYS Runtime Toolkit the vulnerability needs to be resolved following the instructions in the mentioned documentation.\n\nUpdate the following products to version 4.16.0.0.\n* CODESYS Control for BeagleBone SL\n* CODESYS Control for emPC-A/iMX6 SL\n* CODESYS Control for IOT2000 SL\n* CODESYS Control for Linux ARM SL\n* CODESYS Control for Linux SL\n* CODESYS Control for PFC100 SL\n* CODESYS Control for PFC200 SL\n* CODESYS Control for Raspberry Pi SL\n* CODESYS Control for WAGO Touch Panels 600 SL\n* CODESYS Virtual Control SL\n\nFor the updated CODESYS Control SL products, CODESYS GmbH has implemented the necessary measures to address the identified security vulnerability. As a result, access to the runtime directories is now restricted to the Linux user account under which the CODESYS Control runtime is executed. Access is explicitly denied to all other non-administrator users.\n\nNote: Administrator users (e.g., root) may still retain access.\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.\n\nFor the following product no fix is available.\n* CODESYS Control for PLCnext SL\n\nSince there is no fix available for this product, CODESYS GmbH strongly recommends removing all other existing non-administrator users of the operating system and preventing their re-creation in order to neutralize the security vulnerability.",
"title": "Remediation"
},
{
"category": "general",
"text": "As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice\ndefense measures:\n\n* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside\n* Use firewalls to protect and separate the control system network from other networks\n* Activate and apply user management and password features\n* Limit the access to both development and control system by physical means, operating system features, etc.\n* Use encrypted communication links\n* Use VPN (Virtual Private Networks) tunnels if remote access is required\n* Protect both development and control system by using up to date virus detecting solutions\n\nFor more information and general recommendations for protecting machines and plants, see also the\nCODESYS Security Whitepaper [here.](https://customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)",
"title": "General Recommendation"
},
{
"category": "legal_disclaimer",
"text": "CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses\nthat occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.\nInsofar as permissible by law, however, none of this information shall establish any guarantee, commitment or\nliability on the part of CODESYS GmbH.\n\nNote: Not all CODESYS features are available in all territories. For more information on geographic restrictions,\nplease contact sales@codesys.com.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security@codesys.com",
"name": "CODESYS GmbH",
"namespace": "https://www.codesys.com"
},
"references": [
{
"category": "external",
"summary": "CERT@VDE Security Advisories for CODESYS GmbH",
"url": "https://certvde.com/en/advisories/vendor/codesys"
},
{
"category": "self",
"summary": "Advisory2025-06_VDE-2025-049: CODESYS Control V3 - Insecure default permissions - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-049/"
},
{
"category": "self",
"summary": "Advisory2025-06_VDE-2025-049: CODESYS Control V3 - Insecure default permissions - CSAF",
"url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2025/advisory2025-06_vde-2025-049.json"
},
{
"category": "external",
"summary": "CODESYS Security Advisories",
"url": "https://www.codesys.com/security/security-reports.html"
},
{
"category": "self",
"summary": "Advisory2025-06_VDE-2025-049: CODESYS Control V3 - Insecure default permissions - PDF",
"url": "https://codesys.com/fileadmin/user_upload/CODESYS_Group/Ecosystem/Up-to-Date/Security/Security-Advisories/Advisory2025-06_CDS-93243.pdf"
}
],
"title": "CODESYS Control V3 - Insecure default permissions",
"tracking": {
"aliases": [
"VDE-2025-049",
"CODESYS Security Advisory 2025-06"
],
"current_release_date": "2025-08-04T10:00:00.000Z",
"generator": {
"date": "2025-08-01T06:52:33.216Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.31"
}
},
"id": "Advisory2025-06_VDE-2025-049",
"initial_release_date": "2025-08-04T10:00:00.000Z",
"revision_history": [
{
"date": "2025-08-04T10:00:00.000Z",
"number": "1",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.5.21.20",
"product": {
"name": "CODESYS Runtime Toolkit \u003c 3.5.21.20",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "3.5.21.20",
"product": {
"name": "CODESYS Runtime Toolkit 3.5.21.20",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "CODESYS Runtime Toolkit"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Control for BeagleBone SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51002"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Control for BeagleBone SL 4.16.0.0",
"product_id": "CSAFPID-52002"
}
}
],
"category": "product_name",
"name": "CODESYS Control for BeagleBone SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Control for emPC-A/iMX6 SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51003"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Control for emPC-A/iMX6 SL 4.16.0.0",
"product_id": "CSAFPID-52003"
}
}
],
"category": "product_name",
"name": "CODESYS Control for emPC-A/iMX6 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Control for IOT2000 SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51004"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Control for IOT2000 SL 4.16.0.0",
"product_id": "CSAFPID-52004"
}
}
],
"category": "product_name",
"name": "CODESYS Control for IOT2000 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Control for Linux ARM SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51005"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Control for Linux ARM SL 4.16.0.0",
"product_id": "CSAFPID-52005"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Linux ARM SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Control for Linux SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51006"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Control for Linux SL 4.16.0.0",
"product_id": "CSAFPID-52006"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Linux SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Control for PFC100 SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51007"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Control for PFC100 SL 4.16.0.0",
"product_id": "CSAFPID-52007"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PFC100 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Control for PFC200 SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51008"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Control for PFC200 SL 4.16.0.0",
"product_id": "CSAFPID-52008"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PFC200 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Control for PLCnext SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51009"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Control for PLCnext SL 4.16.0.0",
"product_id": "CSAFPID-52009"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PLCnext SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Control for Raspberry Pi SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51010"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Control for Raspberry Pi SL 4.16.0.0",
"product_id": "CSAFPID-52010"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Raspberry Pi SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Control for WAGO Touch Panels 600 SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51011"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Control for WAGO Touch Panels 600 SL 4.16.0.0",
"product_id": "CSAFPID-52011"
}
}
],
"category": "product_name",
"name": "CODESYS Control for WAGO Touch Panels 600 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.16.0.0",
"product": {
"name": "CODESYS Virtual Control SL \u003c 4.16.0.0",
"product_id": "CSAFPID-51012"
}
},
{
"category": "product_version",
"name": "4.16.0.0",
"product": {
"name": "CODESYS Virtual Control SL 4.16.0.0",
"product_id": "CSAFPID-52012"
}
}
],
"category": "product_name",
"name": "CODESYS Virtual Control SL "
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "CODESYS"
}
],
"product_groups": [
{
"group_id": "CSAFGID-1001",
"product_ids": [
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012"
],
"summary": "Affected products v4.x."
},
{
"group_id": "CSAFGID-2001",
"product_ids": [
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006",
"CSAFPID-52007",
"CSAFPID-52008",
"CSAFPID-52010",
"CSAFPID-52011",
"CSAFPID-52012"
],
"summary": "Fixed products v4.x."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-41658",
"cwe": {
"id": "CWE-276",
"name": "Incorrect Default Permissions"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006",
"CSAFPID-52007",
"CSAFPID-52008",
"CSAFPID-52010",
"CSAFPID-52011",
"CSAFPID-52012"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012"
]
},
"remediations": [
{
"category": "mitigation",
"details": "If the CODESYS Control runtime system is operated on an operating system with multi-user support, other users may potentially gain access to runtime-related files. Thus, it is essential to configure the storage locations for CODESYS Control runtime files in accordance with the operating system\u0027s security best practices. These locations should, by default, restrict access to unauthorized users. If the operating system does not support such access control mechanisms or if implementing them is not feasible, an alternative approach is to explicitly revoke read and write permissions for all non-administrative users on the directories used by the CODESYS Control runtime system.\n\nThe following directories must be secured:\n* The directory containing configuration files\n* The directory containing binary files\n* The working directory used by the runtime system\n\nNote: Protecting individual files is not sufficient. The entire directories must be secured to ensure that any files created in the future are also protected.\n\nAlternatively, where applicable, all non-administrative user accounts can be removed from the system, and their re-creation should be prevented. Additionally, it is recommended to disable remote access methods that allow file access (e.g., SSH) wherever possible, in order to reduce the overall attack surface.\n\nBest practice recommendations for Linux and QNX Systems:\n* Create a dedicated privileged group for accessing the above-mentioned directories, and add the user account under which the runtime process is executed to this group.\n* Set the file system permissions for these directories to deny access to \"other\" users (e.g., chmod o-rx).\n* If access for additional users is required, they can be added to the privileged group as needed.",
"group_ids": [
"CSAFGID-1001"
],
"product_ids": [
"CSAFPID-51001"
]
},
{
"category": "vendor_fix",
"details": "Update the following products to version 4.16.0.0.\n* CODESYS Control for BeagleBone SL\n* CODESYS Control for emPC-A/iMX6 SL\n* CODESYS Control for IOT2000 SL\n* CODESYS Control for Linux ARM SL\n* CODESYS Control for Linux SL\n* CODESYS Control for PFC100 SL\n* CODESYS Control for PFC200 SL\n* CODESYS Control for Raspberry Pi SL\n* CODESYS Control for WAGO Touch Panels 600 SL\n* CODESYS Virtual Control SL\n\nFor the updated CODESYS Control SL products, CODESYS GmbH has implemented the necessary measures to address the identified security vulnerability. As a result, access to the runtime directories is now restricted to the Linux user account under which the CODESYS Control runtime is executed. Access is explicitly denied to all other non-administrator users.\n\nNote: Administrator users (e.g., root) may still retain access.\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.",
"group_ids": [
"CSAFGID-2001"
]
},
{
"category": "none_available",
"details": "For the following product no fix is available.\n* CODESYS Control for PLCnext SL\n\nSince there is no fix available for this product, CODESYS GmbH strongly recommends removing all other existing non-administrator users of the operating system and preventing their re-creation in order to neutralize the security vulnerability.",
"product_ids": [
"CSAFPID-52009"
]
},
{
"category": "vendor_fix",
"details": "Version 3.5.21.20 of the following product provides an updated CODESYS Control V3 Runtime System Documentation:\n* CODESYS Runtime Toolkit\n\nIn particular, Chapter 5 (Architecture Manual), Section 5.4 (Portings), Subsection 5.4.1 (Security Considerations), Subsection 5.4.1.1 (Operating System Folder Permissions) now provides detailed guidance for device manufacturers on how to address the described security vulnerability. The same information is also included as Mitigation in this advisory.\n\nCODESYS GmbH strongly recommends that this guidance be followed in order to effectively close the security vulnerability on affected devices. Devices are particularly at risk if they offer direct access to the operating system (e.g., via a local user interface or SSH) in combination with the presence or possibility of creating non-administrator user accounts for such access.\n\nImportant: Updating the toolkit is not sufficient. For affected customer devices based on the CODESYS Runtime Toolkit the vulnerability needs to be resolved following the instructions in the mentioned documentation.",
"product_ids": [
"CSAFPID-52001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012"
]
}
],
"title": "CVE-2025-41658"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…