ADVISORY2026-07_VDE-2026-052
Vulnerability from csaf_codesysgmbh - Published: 2026-05-21 10:00 - Updated: 2026-05-21 10:00Summary
CODESYS Visualization - Insufficiently Protected Credentials
Severity
Medium
Notes
Summary: A vulnerability in the CODESYS Visualization login dialog has been identified. During logins within the CODESYS Visualization, authentication data may not be sufficiently isolated when multiple users perform login operations concurrently.
As a result, an authenticated visualization user may be able to obtain credentials entered by another visualization user. The issue affects only login operations within an active visualization session and can be triggered via local and remote access to the visualization.
Impact: Exploitation of this vulnerability may allow an authenticated remote visualization user to obtain credentials entered by another visualization user, potentially with higher privileges.
Mitigation: Two alternative mitigation options have been identified.
One option is to avoid using the Input Action "User Management -> Login" for changing users within an active visualization session. Instead, use the Input Action "User Management -> Logout" to do a complete logout followed by a new Login to the Visualization to re-login with another user.
Alternatively, property handling within the visualization can be disabled via Project Settings -> Visualization -> General -> Advanced -> "Activate property handling in all element properties", if this is not required for the compilation of the application.
Remediation: Update the following product to version 4.10.0.0.
* CODESYS Visualization
For existing affected CODESYS projects that include a visualization, the fix takes effect only after recompiling the application and performing a new download to the HMI or PLC.
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
General Recommendation: As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice
defense measures:
* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
* Use firewalls to protect and separate the control system network from other networks
* Activate and apply user management and password features
* Limit the access to both development and control system by physical means, operating system features, etc.
* Use encrypted communication links
* Use VPN (Virtual Private Networks) tunnels if remote access is required
* Protect both development and control system by using up to date virus detecting solutions
For more information and general recommendations for protecting machines and plants, see also the
CODESYS Security Whitepaper [here.](https://www.customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)
Disclaimer: CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses
that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.
Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or
liability on the part of CODESYS GmbH.
Note: Not all CODESYS features are available in all territories. For more information on geographic restrictions,
please contact sales@codesys.com.
The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session.
5.7 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CODESYS Visualization 4.10.0.0
CODESYS / Software / CODESYS Visualization
|
4.10.0.0 |
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CODESYS Visualization < 4.10.0.0
CODESYS / Software / CODESYS Visualization
|
vers:generic/<4.10.0.0 |
Mitigation
Vendor Fix
|
References
6 references
Acknowledgments
CERT@VDE
www.certvde.com
CTA AG
Silvan Schweizer
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://www.certvde.com"
]
},
{
"names": [
"Silvan Schweizer"
],
"organization": "CTA AG",
"summary": "reporting"
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "Medium"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "A vulnerability in the CODESYS Visualization login dialog has been identified. During logins within the CODESYS Visualization, authentication data may not be sufficiently isolated when multiple users perform login operations concurrently.\n\nAs a result, an authenticated visualization user may be able to obtain credentials entered by another visualization user. The issue affects only login operations within an active visualization session and can be triggered via local and remote access to the visualization.",
"title": "Summary"
},
{
"category": "description",
"text": "Exploitation of this vulnerability may allow an authenticated remote visualization user to obtain credentials entered by another visualization user, potentially with higher privileges.",
"title": "Impact"
},
{
"category": "description",
"text": "Two alternative mitigation options have been identified. \nOne option is to avoid using the Input Action \"User Management -\u003e Login\" for changing users within an active visualization session. Instead, use the Input Action \"User Management -\u003e Logout\" to do a complete logout followed by a new Login to the Visualization to re-login with another user.\nAlternatively, property handling within the visualization can be disabled via Project Settings -\u003e Visualization -\u003e General -\u003e Advanced -\u003e \"Activate property handling in all element properties\", if this is not required for the compilation of the application.",
"title": "Mitigation"
},
{
"category": "description",
"text": "Update the following product to version 4.10.0.0.\n* CODESYS Visualization\n\nFor existing affected CODESYS projects that include a visualization, the fix takes effect only after recompiling the application and performing a new download to the HMI or PLC.\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.",
"title": "Remediation"
},
{
"category": "general",
"text": "As part of a security strategy, CODESYS GmbH strongly recommends at least the following best-practice\ndefense measures:\n\n* Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside\n* Use firewalls to protect and separate the control system network from other networks\n* Activate and apply user management and password features\n* Limit the access to both development and control system by physical means, operating system features, etc.\n* Use encrypted communication links\n* Use VPN (Virtual Private Networks) tunnels if remote access is required\n* Protect both development and control system by using up to date virus detecting solutions\n\nFor more information and general recommendations for protecting machines and plants, see also the\nCODESYS Security Whitepaper [here.](https://www.customers.codesys.com/fileadmin/data/customers/security/CODESYS-Security-Whitepaper.pdf)",
"title": "General Recommendation"
},
{
"category": "legal_disclaimer",
"text": "CODESYS GmbH assumes no liability whatsoever for indirect, collateral, accidental or consequential losses\nthat occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided on good faith by CODESYS GmbH.\nInsofar as permissible by law, however, none of this information shall establish any guarantee, commitment or\nliability on the part of CODESYS GmbH.\n\nNote: Not all CODESYS features are available in all territories. For more information on geographic restrictions,\nplease contact sales@codesys.com.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security@codesys.com",
"name": "CODESYS GmbH",
"namespace": "https://www.codesys.com"
},
"references": [
{
"category": "external",
"summary": "CERT@VDE Security Advisories for CODESYS GmbH",
"url": "https://www.certvde.com/en/advisories/vendor/codesys"
},
{
"category": "self",
"summary": "Advisory2026-07_VDE-2026-052: CODESYS Visualization - Insufficiently Protected Credentials - HTML",
"url": "https://www.certvde.com/en/advisories/VDE-2026-052/"
},
{
"category": "self",
"summary": "Advisory2026-07_VDE-2026-052: CODESYS Visualization - Insufficiently Protected Credentials - CSAF",
"url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-07_vde-2026-052.json"
},
{
"category": "external",
"summary": "CODESYS Security Advisories",
"url": "https://www.codesys.com/security/security-reports.html"
},
{
"category": "self",
"summary": "Advisory2026-07_VDE-2026-052: CODESYS Visualization - Insufficiently Protected Credentials - PDF",
"url": "https://api-www.codesys.com/fileadmin/user_upload/CODESYS_Group/Ecosystem/Up-to-Date/Security/Security-Advisories/Advisory2026-07_VIS-6204.pdf"
}
],
"title": "CODESYS Visualization - Insufficiently Protected Credentials",
"tracking": {
"aliases": [
"VDE-2026-052",
"CODESYS Security Advisory 2026-07"
],
"current_release_date": "2026-05-21T10:00:00.000Z",
"generator": {
"date": "2026-05-11T07:13:38.785Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.44"
}
},
"id": "Advisory2026-07_VDE-2026-052",
"initial_release_date": "2026-05-21T10:00:00.000Z",
"revision_history": [
{
"date": "2026-05-21T10:00:00.000Z",
"number": "1.0.0",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c4.10.0.0",
"product": {
"name": "CODESYS Visualization \u003c 4.10.0.0",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "4.10.0.0",
"product": {
"name": "CODESYS Visualization 4.10.0.0",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "CODESYS Visualization"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "CODESYS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-0393",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001"
],
"known_affected": [
"CSAFPID-51001"
]
},
"references": [
{
"category": "external",
"summary": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N - 6.9 / Medium",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Two alternative mitigation options have been identified. \nOne option is to avoid using the Input Action \"User Management -\u003e Login\" for changing users within an active visualization session. Instead, use the Input Action \"User Management -\u003e Logout\" to do a complete logout followed by a new Login to the Visualization to re-login with another user.\nAlternatively, property handling within the visualization can be disabled via Project Settings -\u003e Visualization -\u003e General -\u003e Advanced -\u003e \"Activate property handling in all element properties\", if this is not required for the compilation of the application.",
"product_ids": [
"CSAFPID-51001"
]
},
{
"category": "vendor_fix",
"details": "Update the following product to version 4.10.0.0.\n* CODESYS Visualization\n\nFor existing affected CODESYS projects that include a visualization, the fix takes effect only after recompiling the application and performing a new download to the HMI or PLC.\n\nThe CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.",
"product_ids": [
"CSAFPID-51001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 5.7,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 5.7,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-51001"
]
}
],
"title": "Insufficiently Protected Credentials in CODESYS Visualization"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…