ADVISORY2026-02_VDE-2026-011
Vulnerability from csaf_codesysgmbh - Published: 2026-03-24 08:00 - Updated: 2026-03-24 08:00Summary
CODESYS Control V3 - Untrusted boot application
Severity
High
Notes
Summary: The CODESYS Control runtime system provides a user management mechanism with multiple privilege groups. While only the privileged Administrators and Developer groups are intended to load or debug applications on the controller, users in the restricted Service group are allowed to perform maintenance operations, including explicitly replacing the boot application.
In addition to access control, the CODESYS Control runtime system includes an optional application signing feature. When enabled, the controller executes only applications that have been validly signed by authorized developers. However, the CmpApp component of the CODESYS Control runtime systems allows Service‑group users to install a new boot application without requiring any cryptographic validation, if the application signing is not enforced.
As a result, users with Service‑level privileges can install arbitrary boot applications and gain control over the code executed on the controller.
Note: The user group "Service" is a predefined group within the CODESYS Control runtime system. If additional user groups have been created or if the permissions of predefined groups have been modified, then the term "Service" should be understood as a synonym for all groups and their users with no or only limited access rights to the "PlcLogic" object, in conjunction with "Add/Remove" or "Modify" permissions for the boot application files.
Impact: Exploitation of this vulnerability may allow a low-priviledged remote attacker to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution on the PLC.
Mitigation: Without applying the update, the vulnerability can be mitigated by enforcing the use of signed applications through the following setting:
[CmpApp]
SECURITY.EnforceSignedCode=YES
This can be configured either via the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg). When this option is enabled, the CODESYS Control runtime system loads only trusted and valid signed applications.
Alternatively, all users belonging to the Service group can be removed, or the Service group can be deleted entirely.
If none of the other mitigation options are feasible, the permissions of the Service group can be restricted by adjusting their access rights. For example, removing modify permissions for the Service group on relevant file system objects can prevent the upload of untrusted boot applications. However, such changes must be applied with caution, as they may lead to inconsistent permissions for this user group and result in unexpected operational limitations. Therefore, this approach should only be considered after a careful assessment of the specific situation.
Remediation: Update the following products to version 3.5.22.0.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS HMI (SL)
* CODESYS Runtime Toolkit
Update the following products to version 4.21.0.0. The release of this version is expected for Q2 2026.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL
As part of the update, a new configuration file is provided that contains the following setting, which defines the behavior for Service‑group users:
[CmpApp]
SECURITY.UnsignedApplicationFileTransfer=DENY
When this configuration file is used, such as during a new installation, the CODESYS Control runtime system is protected by default.
CODESYS Control runtime systems that continue to use an existing configuration will default to the value ALLOW_WITH_WARNING to ensure compatibility. This setting can be changed either through the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg) by adding the following setting in the section [CmpApp]:
SECURITY.UnsignedApplicationFileTransfer=
The setting supports the following values:
DENY --> Transfer of unsigned applications is blocked (recommended)
ALLOW_WITH_WARNING --> Transfer is permitted and a warning is logged (default for existing installations)
ALLOW --> Transfer of unsigned applications is permitted (not recommended)
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area [4].
General Recommendation: As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice
defense measures:
* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
* Use firewalls to protect and separate the control system network from other networks
* Activate and apply user management and password features
* Limit the access to both development and control system by physical means, operating system features, etc.
* Use encrypted communication links
* Use VPN (Virtual Private Networks) tunnels if remote access is required
* Protect both development and control system by using up to date virus detecting solutions
For more information and general recommendations for protecting machines and plants, see also the
CODESYS Security Whitepaper [here.](https://www.customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)
Disclaimer: CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses
that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.
Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or
liability on the part of CODESYS GmbH.
Note: Not all CODESYS features are available in all territories. For more information on geographic restrictions,
please contact sales@codesys.com.
A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.
8.8 (High)
Mitigation
Without applying the update, the vulnerability can be mitigated by enforcing the use of signed applications through the following setting:
[CmpApp]
SECURITY.EnforceSignedCode=YES
This can be configured either via the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg). When this option is enabled, the CODESYS Control runtime system loads only trusted and valid signed applications.
Alternatively, all users belonging to the Service group can be removed, or the Service group can be deleted entirely.
If none of the other mitigation options are feasible, the permissions of the Service group can be restricted by adjusting their access rights. For example, removing modify permissions for the Service group on relevant file system objects can prevent the upload of untrusted boot applications. However, such changes must be applied with caution, as they may lead to inconsistent permissions for this user group and result in unexpected operational limitations. Therefore, this approach should only be considered after a careful assessment of the specific situation.
Vendor Fix
Update the following products to version 3.5.22.0.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS HMI (SL)
* CODESYS Runtime Toolkit
As part of the update, a new configuration file is provided that contains the following setting, which defines the behavior for Service‑group users:
[CmpApp]
SECURITY.UnsignedApplicationFileTransfer=DENY
When this configuration file is used, such as during a new installation, the CODESYS Control runtime system is protected by default.
CODESYS Control runtime systems that continue to use an existing configuration will default to the value ALLOW_WITH_WARNING to ensure compatibility. This setting can be changed either through the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg) by adding the following setting in the section [CmpApp]:
SECURITY.UnsignedApplicationFileTransfer=
The setting supports the following values:
DENY --> Transfer of unsigned applications is blocked (recommended)
ALLOW_WITH_WARNING --> Transfer is permitted and a warning is logged (default for existing installations)
ALLOW --> Transfer of unsigned applications is permitted (not recommended)
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area [4].
None Available
Update the following products to version 4.21.0.0. The release of this version is expected for Q2 2026.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL
As part of the update, a new configuration file is provided that contains the following setting, which defines the behavior for Service‑group users:
[CmpApp]
SECURITY.UnsignedApplicationFileTransfer=DENY
When this configuration file is used, such as during a new installation, the CODESYS Control runtime system is protected by default.
CODESYS Control runtime systems that continue to use an existing configuration will default to the value ALLOW_WITH_WARNING to ensure compatibility. This setting can be changed either through the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg) by adding the following setting in the section [CmpApp]:
SECURITY.UnsignedApplicationFileTransfer=
The setting supports the following values:
DENY --> Transfer of unsigned applications is blocked (recommended)
ALLOW_WITH_WARNING --> Transfer is permitted and a warning is logged (default for existing installations)
ALLOW --> Transfer of unsigned applications is permitted (not recommended)
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area [4].
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
www.certvde.com
Nozomi Networks
Luca Borzacchiello
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://www.certvde.com"
]
},
{
"names": [
"Luca Borzacchiello"
],
"organization": "Nozomi Networks",
"summary": "reporting"
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "High"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "The CODESYS Control runtime system provides a user management mechanism with multiple privilege groups. While only the privileged Administrators and Developer groups are intended to load or debug applications on the controller, users in the restricted Service group are allowed to perform maintenance operations, including explicitly replacing the boot application.\n\nIn addition to access control, the CODESYS Control runtime system includes an optional application signing feature. When enabled, the controller executes only applications that have been validly signed by authorized developers. However, the CmpApp component of the CODESYS Control runtime systems allows Service\u2011group users to install a new boot application without requiring any cryptographic validation, if the application signing is not enforced.\n\nAs a result, users with Service\u2011level privileges can install arbitrary boot applications and gain control over the code executed on the controller.\n\nNote: The user group \"Service\" is a predefined group within the CODESYS Control runtime system. If additional user groups have been created or if the permissions of predefined groups have been modified, then the term \"Service\" should be understood as a synonym for all groups and their users with no or only limited access rights to the \"PlcLogic\" object, in conjunction with \"Add/Remove\" or \"Modify\" permissions for the boot application files. ",
"title": "Summary"
},
{
"category": "description",
"text": "Exploitation of this vulnerability may allow a low-priviledged remote attacker to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution on the PLC.",
"title": "Impact"
},
{
"category": "description",
"text": "Without applying the update, the vulnerability can be mitigated by enforcing the use of signed applications through the following setting:\n[CmpApp]\nSECURITY.EnforceSignedCode=YES\n\nThis can be configured either via the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg). When this option is enabled, the CODESYS Control runtime system loads only trusted and valid signed applications.\n\nAlternatively, all users belonging to the Service group can be removed, or the Service group can be deleted entirely.\n\nIf none of the other mitigation options are feasible, the permissions of the Service group can be restricted by adjusting their access rights. For example, removing modify permissions for the Service group on relevant file system objects can prevent the upload of untrusted boot applications. However, such changes must be applied with caution, as they may lead to inconsistent permissions for this user group and result in unexpected operational limitations. Therefore, this approach should only be considered after a careful assessment of the specific situation.",
"title": "Mitigation"
},
{
"category": "description",
"text": "Update the following products to version 3.5.22.0.\n* CODESYS Control RTE (SL)\n* CODESYS Control RTE (for Beckhoff CX) SL\n* CODESYS Control Win (SL)\n* CODESYS HMI (SL)\n* CODESYS Runtime Toolkit\n\nUpdate the following products to version 4.21.0.0. The release of this version is expected for Q2 2026.\n* CODESYS Control for BeagleBone SL\n* CODESYS Control for emPC-A/iMX6 SL\n* CODESYS Control for IOT2000 SL\n* CODESYS Control for Linux ARM SL\n* CODESYS Control for Linux SL\n* CODESYS Control for PFC100 SL\n* CODESYS Control for PFC200 SL\n* CODESYS Control for PLCnext SL\n* CODESYS Control for Raspberry Pi SL\n* CODESYS Control for WAGO Touch Panels 600 SL\n* CODESYS Virtual Control SL\n\nAs part of the update, a new configuration file is provided that contains the following setting, which defines the behavior for Service\u2011group users:\n[CmpApp]\nSECURITY.UnsignedApplicationFileTransfer=DENY\n\nWhen this configuration file is used, such as during a new installation, the CODESYS Control runtime system is protected by default. \n\nCODESYS Control runtime systems that continue to use an existing configuration will default to the value ALLOW_WITH_WARNING to ensure compatibility. This setting can be changed either through the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg) by adding the following setting in the section [CmpApp]:\nSECURITY.UnsignedApplicationFileTransfer=\n\nThe setting supports the following values:\n\nDENY --\u003e Transfer of unsigned applications is blocked (recommended)\n\nALLOW_WITH_WARNING --\u003e Transfer is permitted and a warning is logged (default for existing installations)\n\nALLOW --\u003e Transfer of unsigned applications is permitted (not recommended)\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area [4].",
"title": "Remediation"
},
{
"category": "general",
"text": "As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice\ndefense measures:\n\n* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside\n* Use firewalls to protect and separate the control system network from other networks\n* Activate and apply user management and password features\n* Limit the access to both development and control system by physical means, operating system features, etc.\n* Use encrypted communication links\n* Use VPN (Virtual Private Networks) tunnels if remote access is required\n* Protect both development and control system by using up to date virus detecting solutions\n\nFor more information and general recommendations for protecting machines and plants, see also the\nCODESYS Security Whitepaper [here.](https://www.customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)",
"title": "General Recommendation"
},
{
"category": "legal_disclaimer",
"text": "CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses\nthat occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.\nInsofar as permissible by law, however, none of this information shall establish any guarantee, commitment or\nliability on the part of CODESYS GmbH.\n\nNote: Not all CODESYS features are available in all territories. For more information on geographic restrictions,\nplease contact sales@codesys.com.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security@codesys.com",
"name": "CODESYS GmbH",
"namespace": "https://www.codesys.com"
},
"references": [
{
"category": "external",
"summary": "CERT@VDE Security Advisories for CODESYS GmbH",
"url": "https://www.certvde.com/en/advisories/vendor/codesys"
},
{
"category": "self",
"summary": "Advisory2026-02_VDE-2026-011: CODESYS Control V3 - Untrusted boot application - HTML",
"url": "https://www.certvde.com/en/advisories/VDE-2026-011/"
},
{
"category": "self",
"summary": "Advisory2026-02_VDE-2026-011: CODESYS Control V3 - Untrusted boot application - CSAF",
"url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-02_vde-2026-011.json"
},
{
"category": "external",
"summary": "CODESYS Security Advisories",
"url": "https://www.codesys.com/security/security-reports.html"
},
{
"category": "self",
"summary": "Advisory2026-02_VDE-2026-011: CODESYS Control V3 - Untrusted boot application - PDF",
"url": "https://api-www.codesys.com/fileadmin/user_upload/CODESYS_Group/Ecosystem/Up-to-Date/Security/Security-Advisories/Advisory2026-02_CDS-93242.pdf"
}
],
"title": "CODESYS Control V3 - Untrusted boot application",
"tracking": {
"aliases": [
"VDE-2026-011",
"CODESYS Security Advisory 2026-02"
],
"current_release_date": "2026-03-24T08:00:00.000Z",
"generator": {
"date": "2026-03-23T08:16:12.950Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.44"
}
},
"id": "Advisory2026-02_VDE-2026-011",
"initial_release_date": "2026-03-24T08:00:00.000Z",
"revision_history": [
{
"date": "2026-03-24T08:00:00.000Z",
"number": "1.0.0",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c3.5.22.0",
"product": {
"name": "CODESYS Control RTE (SL) \u003c 3.5.22.0",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "3.5.22.0",
"product": {
"name": "CODESYS Control RTE (SL) 3.5.22.0",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "CODESYS Control RTE (SL)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c3.5.22.0",
"product": {
"name": "CODESYS Control RTE (for Beckhoff CX) SL \u003c 3.5.22.0",
"product_id": "CSAFPID-51002"
}
},
{
"category": "product_version",
"name": "3.5.22.0",
"product": {
"name": "CODESYS Control RTE (for Beckhoff CX) SL 3.5.22.0",
"product_id": "CSAFPID-52002"
}
}
],
"category": "product_name",
"name": "CODESYS Control RTE (for Beckhoff CX) SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c3.5.22.0",
"product": {
"name": "CODESYS Control Win (SL) \u003c 3.5.22.0",
"product_id": "CSAFPID-51003"
}
},
{
"category": "product_version",
"name": "3.5.22.0",
"product": {
"name": "CODESYS Control Win (SL) 3.5.22.0",
"product_id": "CSAFPID-52003"
}
}
],
"category": "product_name",
"name": "CODESYS Control Win (SL)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c3.5.22.0",
"product": {
"name": "CODESYS HMI (SL) \u003c 3.5.22.0",
"product_id": "CSAFPID-51004"
}
},
{
"category": "product_version",
"name": "3.5.22.0",
"product": {
"name": "CODESYS HMI (SL) 3.5.22.0",
"product_id": "CSAFPID-52004"
}
}
],
"category": "product_name",
"name": "CODESYS HMI (SL)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c3.5.22.0",
"product": {
"name": "CODESYS Runtime Toolkit \u003c 3.5.22.0",
"product_id": "CSAFPID-51005"
}
},
{
"category": "product_version",
"name": "3.5.22.0",
"product": {
"name": "CODESYS Runtime Toolkit 3.5.22.0",
"product_id": "CSAFPID-52005"
}
}
],
"category": "product_name",
"name": "CODESYS Runtime Toolkit"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Control for BeagleBone SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51006"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Control for BeagleBone SL 4.21.0.0",
"product_id": "CSAFPID-52006"
}
}
],
"category": "product_name",
"name": "CODESYS Control for BeagleBone SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Control for emPC-A/iMX6 SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51007"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Control for emPC-A/iMX6 SL 4.21.0.0",
"product_id": "CSAFPID-52007"
}
}
],
"category": "product_name",
"name": "CODESYS Control for emPC-A/iMX6 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Control for IOT2000 SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51008"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Control for IOT2000 SL 4.21.0.0",
"product_id": "CSAFPID-52008"
}
}
],
"category": "product_name",
"name": "CODESYS Control for IOT2000 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Control for Linux ARM SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51009"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Control for Linux ARM SL 4.21.0.0",
"product_id": "CSAFPID-52009"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Linux ARM SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Control for Linux SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51010"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Control for Linux SL 4.21.0.0",
"product_id": "CSAFPID-52010"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Linux SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Control for PFC100 SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51011"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Control for PFC100 SL 4.21.0.0",
"product_id": "CSAFPID-52011"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PFC100 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Control for PFC200 SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51012"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Control for PFC200 SL 4.21.0.0",
"product_id": "CSAFPID-52012"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PFC200 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Control for PLCnext SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51013"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Control for PLCnext SL 4.21.0.0",
"product_id": "CSAFPID-52013"
}
}
],
"category": "product_name",
"name": "CODESYS Control for PLCnext SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Control for Raspberry Pi SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51014"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Control for Raspberry Pi SL 4.21.0.0",
"product_id": "CSAFPID-52014"
}
}
],
"category": "product_name",
"name": "CODESYS Control for Raspberry Pi SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Control for WAGO Touch Panels 600 SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51015"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Control for WAGO Touch Panels 600 SL 4.21.0.0",
"product_id": "CSAFPID-52015"
}
}
],
"category": "product_name",
"name": "CODESYS Control for WAGO Touch Panels 600 SL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.21.0.0",
"product": {
"name": "CODESYS Virtual Control SL \u003c 4.21.0.0",
"product_id": "CSAFPID-51016"
}
},
{
"category": "product_version",
"name": "4.21.0.0",
"product": {
"name": "CODESYS Virtual Control SL 4.21.0.0",
"product_id": "CSAFPID-52016"
}
}
],
"category": "product_name",
"name": "CODESYS Virtual Control SL"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "CODESYS"
}
],
"product_groups": [
{
"group_id": "CSAFGID-1001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
],
"summary": "Affected products v3.5.x."
},
{
"group_id": "CSAFGID-2001",
"product_ids": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005"
],
"summary": "Fixed products v3.5.x."
},
{
"group_id": "CSAFGID-1002",
"product_ids": [
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012",
"CSAFPID-51013",
"CSAFPID-51014",
"CSAFPID-51015",
"CSAFPID-51016"
],
"summary": "Affected products v4.x."
},
{
"group_id": "CSAFGID-2002",
"product_ids": [
"CSAFPID-52006",
"CSAFPID-52007",
"CSAFPID-52008",
"CSAFPID-52009",
"CSAFPID-52010",
"CSAFPID-52011",
"CSAFPID-52012",
"CSAFPID-52013",
"CSAFPID-52014",
"CSAFPID-52015",
"CSAFPID-52016"
],
"summary": "Fixed products v4.x."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-41660",
"cwe": {
"id": "CWE-669",
"name": "Incorrect Resource Transfer Between Spheres"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006",
"CSAFPID-52007",
"CSAFPID-52008",
"CSAFPID-52009",
"CSAFPID-52010",
"CSAFPID-52011",
"CSAFPID-52012",
"CSAFPID-52013",
"CSAFPID-52014",
"CSAFPID-52015",
"CSAFPID-52016"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012",
"CSAFPID-51013",
"CSAFPID-51014",
"CSAFPID-51015",
"CSAFPID-51016"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Without applying the update, the vulnerability can be mitigated by enforcing the use of signed applications through the following setting:\n[CmpApp]\nSECURITY.EnforceSignedCode=YES\n\nThis can be configured either via the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg). When this option is enabled, the CODESYS Control runtime system loads only trusted and valid signed applications.\n\nAlternatively, all users belonging to the Service group can be removed, or the Service group can be deleted entirely.\n\nIf none of the other mitigation options are feasible, the permissions of the Service group can be restricted by adjusting their access rights. For example, removing modify permissions for the Service group on relevant file system objects can prevent the upload of untrusted boot applications. However, such changes must be applied with caution, as they may lead to inconsistent permissions for this user group and result in unexpected operational limitations. Therefore, this approach should only be considered after a careful assessment of the specific situation.",
"group_ids": [
"CSAFGID-1001",
"CSAFGID-1002"
]
},
{
"category": "vendor_fix",
"details": "Update the following products to version 3.5.22.0.\n* CODESYS Control RTE (SL)\n* CODESYS Control RTE (for Beckhoff CX) SL\n* CODESYS Control Win (SL)\n* CODESYS HMI (SL)\n* CODESYS Runtime Toolkit\n\nAs part of the update, a new configuration file is provided that contains the following setting, which defines the behavior for Service\u2011group users:\n[CmpApp]\nSECURITY.UnsignedApplicationFileTransfer=DENY\n\nWhen this configuration file is used, such as during a new installation, the CODESYS Control runtime system is protected by default. \n\nCODESYS Control runtime systems that continue to use an existing configuration will default to the value ALLOW_WITH_WARNING to ensure compatibility. This setting can be changed either through the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg) by adding the following setting in the section [CmpApp]:\nSECURITY.UnsignedApplicationFileTransfer=\n\nThe setting supports the following values:\n\nDENY --\u003e Transfer of unsigned applications is blocked (recommended)\n\nALLOW_WITH_WARNING --\u003e Transfer is permitted and a warning is logged (default for existing installations)\n\nALLOW --\u003e Transfer of unsigned applications is permitted (not recommended)\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area [4]. ",
"group_ids": [
"CSAFGID-1001"
]
},
{
"category": "none_available",
"details": "Update the following products to version 4.21.0.0. The release of this version is expected for Q2 2026.\n* CODESYS Control for BeagleBone SL\n* CODESYS Control for emPC-A/iMX6 SL\n* CODESYS Control for IOT2000 SL\n* CODESYS Control for Linux ARM SL\n* CODESYS Control for Linux SL\n* CODESYS Control for PFC100 SL\n* CODESYS Control for PFC200 SL\n* CODESYS Control for PLCnext SL\n* CODESYS Control for Raspberry Pi SL\n* CODESYS Control for WAGO Touch Panels 600 SL\n* CODESYS Virtual Control SL\n\nAs part of the update, a new configuration file is provided that contains the following setting, which defines the behavior for Service\u2011group users:\n[CmpApp]\nSECURITY.UnsignedApplicationFileTransfer=DENY\n\nWhen this configuration file is used, such as during a new installation, the CODESYS Control runtime system is protected by default. \n\nCODESYS Control runtime systems that continue to use an existing configuration will default to the value ALLOW_WITH_WARNING to ensure compatibility. This setting can be changed either through the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg) by adding the following setting in the section [CmpApp]:\nSECURITY.UnsignedApplicationFileTransfer=\n\nThe setting supports the following values:\n\nDENY --\u003e Transfer of unsigned applications is blocked (recommended)\n\nALLOW_WITH_WARNING --\u003e Transfer is permitted and a warning is logged (default for existing installations)\n\nALLOW --\u003e Transfer of unsigned applications is permitted (not recommended)\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area [4]. ",
"group_ids": [
"CSAFGID-1002"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012",
"CSAFPID-51013",
"CSAFPID-51014",
"CSAFPID-51015",
"CSAFPID-51016"
]
}
],
"title": "CODESYS Control Boot Application Replacement Enables Code Execution"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…