Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new connections.
AnalysisAI
TCP connection exhaustion in CODESYS Modbus TCP Server allows remote unauthenticated attackers to trigger a race condition in connection handling, depleting all available TCP connections and denying service to legitimate industrial automation clients. CVSS 8.2 (High) reflects high availability impact. No active exploitation confirmed (not in CISA KEV), but attack complexity is low with present race condition opportunity (AT:P). Patch available from vendor for versions prior to 4.6.0.0.
Technical ContextAI
CODESYS Modbus TCP Server implements the Modbus TCP protocol (TCP/502), a widely-used industrial automation protocol for SCADA and PLC communication. The vulnerability stems from CWE-772 (Missing Release of Resource after Effective Lifetime) - a classic resource exhaustion flaw where connection objects are not properly released after use. A race condition in the TCP connection handler allows an attacker to trigger simultaneous connection attempts that bypass normal resource cleanup, causing file descriptor or socket pool exhaustion. This affects the CODESYS Modbus stack (CPE: cpe:2.3:a:codesys:codesys_modbus), a commercial Modbus server library integrated into industrial control systems. Modbus TCP typically maintains a limited connection pool (often 5-10 concurrent connections); exhausting this pool renders the device unresponsive to legitimate HMI clients, engineering workstations, or supervisory systems.
RemediationAI
Upgrade CODESYS Modbus to version 4.6.0.0 or later, which addresses the race condition in TCP connection handling. Consult device manufacturer for firmware update procedures, as CODESYS Modbus is typically embedded in third-party industrial hardware. If immediate patching is not feasible, implement network-level compensating controls: (1) Deploy Modbus TCP gateway or proxy with connection rate limiting (e.g., max 2 new connections/second per source IP) to prevent rapid connection attempts needed to exploit the race window - trade-off: may slow legitimate client reconnections during network events; (2) Configure stateful firewall rules restricting Modbus TCP (port 502) access to explicitly authorized HMI/SCADA IP addresses only - eliminates remote unauthenticated attack surface but requires maintaining accurate IP allowlists; (3) Enable connection monitoring/alerting for abnormal Modbus TCP connection patterns (connection attempts exceeding normal baseline) to detect exploitation attempts. Workarounds reduce but do not eliminate risk; patching remains the definitive fix. Advisory: https://certvde.com/de/advisories/VDE-2026-042.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29390
GHSA-qc33-pwh4-j9rq