EUVD-2025-208957
GHSA-25xg-52c8-p9q8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.
Analysis
A vulnerability in CODESYS Control runtime systems allows a low-privileged remote attacker to replace the boot application, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability affects numerous CODESYS Control variants across multiple platforms including Linux, Windows, embedded systems, and industrial controllers. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privileges, this represents a significant threat to industrial control systems and automation environments.
Technical Context
CODESYS Control is a widely-deployed runtime system for programmable logic controllers (PLCs) and industrial automation devices. This vulnerability stems from CWE-669 (Incorrect Resource Transfer Between Spheres), indicating improper isolation or validation when handling boot application components. The affected products span the entire CODESYS ecosystem including Control RTE (Runtime Environment), Control Win, HMI, and Runtime Toolkit, as well as platform-specific implementations for Beckhoff CX controllers, BeagleBone, Raspberry Pi, WAGO Touch Panels, Linux ARM systems, IOT2000 devices, and PLCNext controllers. The boot application replacement mechanism lacks sufficient authorization checks, allowing authenticated users with low privileges to substitute legitimate boot code with malicious payloads that execute during system startup with elevated privileges.
Affected Products
Multiple CODESYS products are affected including CODESYS Control RTE (SL), CODESYS Control RTE for Beckhoff CX (SL), CODESYS Control Win (SL), CODESYS HMI (SL), CODESYS Runtime Toolkit, CODESYS Control for BeagleBone SL, CODESYS Control for emPC-A/iMX6 SL, CODESYS Control for IOT2000 SL, CODESYS Control for Linux ARM SL, CODESYS Control for Linux SL, CODESYS Control for PFC100 SL, CODESYS Control for PFC200 SL, CODESYS Control for PLCNext SL, CODESYS Control for Raspberry Pi SL, CODESYS Control for WAGO Touch Panels 600 SL, and CODESYS Virtual Control SL. Specific vulnerable version ranges are not detailed in the available intelligence. The vulnerability was reported by CERT@VDE and documented in their advisory at https://certvde.com/de/advisories/VDE-2026-011. Organizations using any CODESYS Control runtime products should consult the vendor advisory for complete version information.
Remediation
Organizations should immediately consult the CERT@VDE advisory at https://certvde.com/de/advisories/VDE-2026-011 for specific patching guidance and affected version details from CODESYS. Apply vendor-provided security updates as soon as they become available for all affected CODESYS Control runtime installations. Until patches can be deployed, implement compensating controls including restricting network access to CODESYS runtime systems using firewall rules that permit connections only from authorized engineering workstations and management systems, enforcing strong authentication with multi-factor authentication where possible, conducting audits of user privilege assignments to ensure least-privilege principles, monitoring for unauthorized boot application modifications through file integrity monitoring, and disabling remote access capabilities if not operationally required. Consider network segmentation to isolate industrial control systems from corporate networks and the internet.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today