ADVISORY2026-01_VDE-2026-012

Vulnerability from csaf_codesysgmbh - Published: 2026-03-10 10:00 - Updated: 2026-03-10 10:00
Summary
CODESYS Installer - Possible Privilege Escalation
Severity
High
Notes
Summary: The CODESYS Installer is affected by a privilege escalation vulnerability. Due to a race condition, a local attacker with limited privileges can replace the verified downloaded setup before execution. Because the update process runs with administrator privileges, a malicious application can be executed with elevated rights. The attack requires the legitimate user to confirm the self‑update prompt for the CODESYS Installer itself or to initiate an installation of a CODESYS Development System. The update process for CODESYS Add-Ons is not affected by this issue.
Impact: Exploitation of this vulnerability can lead to a privilege escalation on the host system.
Remediation: Update the following product to version 2.6.1.0. * CODESYS Installer To avoid using the self‑update mechanism when applying the software update, we recommend manually downloading the fixed version of the CODESYS Installer from the CODESYS Store and installing it. Alternatively, you can also download and install the CODESYS Development System version 3.5.22.0 or newer as a complete setup, which includes the updated CODESYS Installer. The CODESYS Installer as well as the CODESYS Development System can be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
General Recommendation: As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice defense measures: * Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside * Use firewalls to protect and separate the control system network from other networks * Activate and apply user management and password features * Limit the access to both development and control system by physical means, operating system features, etc. * Use encrypted communication links * Use VPN (Virtual Private Networks) tunnels if remote access is required * Protect both development and control system by using up to date virus detecting solutions For more information and general recommendations for protecting machines and plants, see also the CODESYS Security Whitepaper [here.](https://www.customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)
Disclaimer: CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH. Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or liability on the part of CODESYS GmbH. Note: Not all CODESYS features are available in all territories. For more information on geographic restrictions, please contact sales@codesys.com.
CVE-2026-2364

If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer.

7.3 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor Fix Update the following product to version 2.6.1.0. * CODESYS Installer The CODESYS Installer as well as the CODESYS Development System can be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
References
Acknowledgments
CERT@VDE www.certvde.com
SEW-EURODRIVE GmbH & Co KG David Ruscheweyh
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://www.certvde.com"
        ]
      },
      {
        "names": [
          "David Ruscheweyh"
        ],
        "organization": "SEW-EURODRIVE GmbH \u0026 Co KG",
        "summary": "reporting"
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "High"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The CODESYS Installer is affected by a privilege escalation vulnerability. Due to a race condition, a local attacker with limited privileges can replace the verified downloaded setup before execution. Because the update process runs with administrator privileges, a malicious application can be executed with elevated rights.\nThe attack requires the legitimate user to confirm the self\u2011update prompt for the CODESYS Installer itself or to initiate an installation of a CODESYS Development System. The update process for CODESYS Add-Ons is not affected by this issue.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "Exploitation of this vulnerability can lead to a privilege escalation on the host system.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Update the following product to version 2.6.1.0.\n* CODESYS Installer\n\nTo avoid using the self\u2011update mechanism when applying the software update, we recommend manually downloading the fixed version of the CODESYS Installer from the CODESYS Store and installing it. Alternatively, you can also download and install the CODESYS Development System version 3.5.22.0 or newer as a complete setup, which includes the updated CODESYS Installer.\n\nThe CODESYS Installer as well as the CODESYS Development System can be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.",
        "title": "Remediation"
      },
      {
        "category": "general",
        "text": "As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice\ndefense measures:\n\n* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside\n* Use firewalls to protect and separate the control system network from other networks\n* Activate and apply user management and password features\n* Limit the access to both development and control system by physical means, operating system features, etc.\n* Use encrypted communication links\n* Use VPN (Virtual Private Networks) tunnels if remote access is required\n* Protect both development and control system by using up to date virus detecting solutions\n\nFor more information and general recommendations for protecting machines and plants, see also the\nCODESYS Security Whitepaper [here.](https://www.customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)",
        "title": "General Recommendation"
      },
      {
        "category": "legal_disclaimer",
        "text": "CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses\nthat occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.\nInsofar as permissible by law, however, none of this information shall establish any guarantee, commitment or\nliability on the part of CODESYS GmbH.\n\nNote: Not all CODESYS features are available in all territories. For more information on geographic restrictions,\nplease contact sales@codesys.com.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "security@codesys.com",
      "name": "CODESYS GmbH",
      "namespace": "https://www.codesys.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for CODESYS GmbH",
        "url": "https://www.certvde.com/en/advisories/vendor/codesys"
      },
      {
        "category": "self",
        "summary": "Advisory2026-01_VDE-2026-012: CODESYS Installer - Possible Privilege Escalation - HTML",
        "url": "https://www.certvde.com/en/advisories/VDE-2026-012/"
      },
      {
        "category": "self",
        "summary": "Advisory2026-01_VDE-2026-012: CODESYS Installer - Possible Privilege Escalation - CSAF",
        "url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-01_vde-2026-012.json"
      },
      {
        "category": "external",
        "summary": "CODESYS Security Advisories",
        "url": "https://www.codesys.com/security/security-reports.html"
      },
      {
        "category": "self",
        "summary": "Advisory2026-01_VDE-2026-012: CODESYS Installer - Possible Privilege Escalation - PDF",
        "url": "https://api-www.codesys.com/fileadmin/user_upload/CODESYS_Group/Ecosystem/Up-to-Date/Security/Security-Advisories/Advisory2026-01_INST-1084.pdf"
      }
    ],
    "title": "CODESYS Installer - Possible Privilege Escalation",
    "tracking": {
      "aliases": [
        "VDE-2026-012",
        "CODESYS Security Advisory 2026-01"
      ],
      "current_release_date": "2026-03-10T10:00:00.000Z",
      "generator": {
        "date": "2026-03-09T15:05:09.108Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.44"
        }
      },
      "id": "Advisory2026-01_VDE-2026-012",
      "initial_release_date": "2026-03-10T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-03-10T10:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:generic/\u003c2.6.1.0",
                    "product": {
                      "name": "CODESYS Installer \u003c 2.6.1.0",
                      "product_id": "CSAFPID-51001"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "2.6.1.0",
                    "product": {
                      "name": "CODESYS Installer 2.6.1.0",
                      "product_id": "CSAFPID-52001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "CODESYS Installer"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "CODESYS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-2364",
      "cwe": {
        "id": "CWE-367",
        "name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer.",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001"
        ],
        "known_affected": [
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update the following product to version 2.6.1.0.\n* CODESYS Installer\n\nThe CODESYS Installer as well as the CODESYS Development System can be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.",
          "product_ids": [
            "CSAFPID-51001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.3,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.3,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "CODESYS Installer TOCTOU Privilege Escalation"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.