ADVISORY2025-11_VDE-2025-101

Vulnerability from csaf_codesysgmbh - Published: 2025-12-01 10:00 - Updated: 2025-12-01 10:00
Summary
CODESYS Development System - Deserialization of Untrusted Data
Severity
High
Notes
Summary: A vulnerability has been discovered in the print engine of the CODESYS development system. If a CODESYS project file or archive file was crafted in a specific way, the CODESYS development system could execute arbitrary code when a user opens these files and configures the print/printer options or prints the project or parts of it. This arbitrary code would be executed in the context of the user who was tricked into opening the project.
Impact: The CODESYS development system deserializes potentially untrusted data and thereby executes arbitrary code when a user opens and edits a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context and can compromise system integrity, confidentiality, and availability.
Mitigation: Open/install CODESYS archives, projects and packages from trustworthy sources only.
Remediation: Update the following products to version 3.5.21.40. * CODESYS Development System When existing CODESYS project files are opened with a fixed CODESYS Development system version, the option keys "PageSettings" and "PrinterSettings" are now obsolete and will be reset. As a result printer and page settings will be lost and have to be reconfigured. Only these specific parts of "Project Options -> Page Setup" are dropped by the update. The configured Header, Footer, TitlePage and Document options will be kept. The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
General Recommendation: As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice defense measures: * Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside * Use firewalls to protect and separate the control system network from other networks * Activate and apply user management and password features * Limit the access to both development and control system by physical means, operating system features, etc. * Use encrypted communication links * Use VPN (Virtual Private Networks) tunnels if remote access is required * Protect both development and control system by using up to date virus detecting solutions For more information and general recommendations for protecting machines and plants, see also the CODESYS Security Whitepaper [here.](https://www.customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)
Disclaimer: CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH. Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or liability on the part of CODESYS GmbH. Note: Not all CODESYS features are available in all territories. For more information on geographic restrictions, please contact sales@codesys.com.
CVE-2025-41700

An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.

7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-502 - Deserialization of Untrusted Data
Mitigation Open/install CODESYS archives, projects and packages from trustworthy sources only.
Vendor Fix Update the following products to version 3.5.21.40. * CODESYS Development System When existing CODESYS project files are opened with a fixed CODESYS Development system version, the option keys "PageSettings" and "PrinterSettings" are now obsolete and will be reset. As a result printer and page settings will be lost and have to be reconfigured. Only these specific parts of "Project Options -> Page Setup" are dropped by the update. The configured Header, Footer, TitlePage and Document options will be kept. The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
References
Acknowledgments
CERT@VDE www.certvde.com
Beijing Aerospace Wanyuan Science & Technology Co, Ltd. MengyuXia
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://www.certvde.com"
        ]
      },
      {
        "names": [
          "MengyuXia"
        ],
        "organization": "Beijing Aerospace Wanyuan Science \u0026 Technology Co, Ltd.",
        "summary": "reporting"
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "High"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "A vulnerability has been discovered in the print engine of the CODESYS development system. If a CODESYS project file or archive file was crafted in a specific way, the CODESYS development system could execute arbitrary code when a user opens these files and configures the print/printer options or prints the project or parts of it. This arbitrary code would be executed in the context of the user who was tricked into opening the project.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The CODESYS development system deserializes potentially untrusted data and thereby executes arbitrary code when a user opens and edits a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context and can compromise system integrity, confidentiality, and availability.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Open/install CODESYS archives, projects and packages from trustworthy sources only.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Update the following products to version 3.5.21.40.\n* CODESYS Development System \n\nWhen existing CODESYS project files are opened with a fixed CODESYS Development system version, the option keys \"PageSettings\" and \"PrinterSettings\" are now obsolete and will be reset. As a result printer and page settings will be lost and have to be reconfigured. Only these specific parts of \"Project Options -\u003e Page Setup\" are dropped by the update. The configured Header, Footer, TitlePage and Document options will be kept. \n\nThe CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.",
        "title": "Remediation"
      },
      {
        "category": "general",
        "text": "As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice\ndefense measures:\n\n* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside\n* Use firewalls to protect and separate the control system network from other networks\n* Activate and apply user management and password features\n* Limit the access to both development and control system by physical means, operating system features, etc.\n* Use encrypted communication links\n* Use VPN (Virtual Private Networks) tunnels if remote access is required\n* Protect both development and control system by using up to date virus detecting solutions\n\nFor more information and general recommendations for protecting machines and plants, see also the\nCODESYS Security Whitepaper [here.](https://www.customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)",
        "title": "General Recommendation"
      },
      {
        "category": "legal_disclaimer",
        "text": "CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses\nthat occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.\nInsofar as permissible by law, however, none of this information shall establish any guarantee, commitment or\nliability on the part of CODESYS GmbH.\n\nNote: Not all CODESYS features are available in all territories. For more information on geographic restrictions,\nplease contact sales@codesys.com.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "security@codesys.com",
      "name": "CODESYS GmbH",
      "namespace": "https://www.codesys.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for CODESYS GmbH",
        "url": "https://www.certvde.com/en/advisories/vendor/codesys"
      },
      {
        "category": "self",
        "summary": "Advisory2025-11_VDE-2025-101: CODESYS Development System - Deserialization of Untrusted Data - HTML",
        "url": "https://www.certvde.com/en/advisories/VDE-2025-101/"
      },
      {
        "category": "self",
        "summary": "Advisory2025-11_VDE-2025-101: CODESYS Development System - Deserialization of Untrusted Data - CSAF",
        "url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2025/advisory2025-11_vde-2025-101.json"
      },
      {
        "category": "external",
        "summary": "CODESYS Security Advisories",
        "url": "https://www.codesys.com/security/security-reports.html"
      },
      {
        "category": "self",
        "summary": "Advisory2025-11_VDE-2025-101: CODESYS Development System - Deserialization of Untrusted Data - PDF",
        "url": "https://api-www.codesys.com/fileadmin/user_upload/CODESYS_Group/Ecosystem/Up-to-Date/Security/Security-Advisories/Advisory2025-11_CDS-94858.pdf"
      }
    ],
    "title": "CODESYS Development System - Deserialization of Untrusted Data",
    "tracking": {
      "aliases": [
        "VDE-2025-101",
        "CODESYS Security Advisory 2025-11"
      ],
      "current_release_date": "2025-12-01T10:00:00.000Z",
      "generator": {
        "date": "2025-11-28T13:16:28.615Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.40"
        }
      },
      "id": "Advisory2025-11_VDE-2025-101",
      "initial_release_date": "2025-12-01T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-12-01T10:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c3.5.21.40",
                    "product": {
                      "name": "CODESYS Development System \u003c3.5.21.40",
                      "product_id": "CSAFPID-51001"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "3.5.21.40",
                    "product": {
                      "name": "CODESYS Development System 3.5.21.40",
                      "product_id": "CSAFPID-52001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "CODESYS Development System "
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "CODESYS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-41700",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.\n",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001"
        ],
        "known_affected": [
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Open/install CODESYS archives, projects and packages from trustworthy sources only.",
          "product_ids": [
            "CSAFPID-51001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update the following products to version 3.5.21.40.\n* CODESYS Development System \n\nWhen existing CODESYS project files are opened with a fixed CODESYS Development system version, the option keys \"PageSettings\" and \"PrinterSettings\" are now obsolete and will be reset. As a result printer and page settings will be lost and have to be reconfigured. Only these specific parts of \"Project Options -\u003e Page Setup\" are dropped by the update. The configured Header, Footer, TitlePage and Document options will be kept. \n\nThe CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/. ",
          "product_ids": [
            "CSAFPID-51001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "CODESYS Development System - Deserialization of Untrusted Data"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.