Skip to main content

CODESYS Development System CVE-2026-44468

| EUVDEUVD-2026-31798 HIGH
Incorrect Default Permissions (CWE-276)
2026-05-26 CERTVDE GHSA-x347-p9xc-q762
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 10:20 vuln.today
CVSS changed
May 26, 2026 - 13:37 NVD
7.8 (HIGH) 8.5 (HIGH)
Patch available
May 26, 2026 - 09:01 EUVD

DescriptionCVE.org

The affected product creates a directory with insecure default permissions during administrative installation. This allows a low-privileged local attacker to modify a temporary file defining the components to be installed, enabling local privilege escalation by forcing the deployment of arbitrary components.

AnalysisAI

Local privilege escalation in CODESYS Development System versions 3.0.0.0 through 3.5.22.20 allows low-privileged users on a Windows host to tamper with a temporary component manifest written during administrative installation, forcing deployment of attacker-chosen components with elevated rights. The flaw stems from insecure default permissions (CWE-276) on a directory used during install and was reported by CERT@VDE. EPSS is 0.01% and SSVC reports no observed exploitation, so this is a high-impact but currently low-prevalence local issue.

Technical ContextAI

CODESYS Development System is the IEC 61131-3 engineering workstation used to program PLCs and industrial controllers across many OEM brands (Beckhoff, Wago, Schneider OEMs, etc.), so it is commonly deployed on engineering laptops in OT environments. During administrative installation the installer creates a working directory with overly permissive default ACLs (CWE-276 - Incorrect Default Permissions); a temporary file inside this directory describes which components will be installed. Because the directory inherits world-writable or user-writable permissions, an unprivileged local account can race or pre-position a modified manifest before the elevated installer consumes it, causing it to deploy arbitrary components in the SYSTEM/admin context.

RemediationAI

Vendor-released patch: CODESYS Development System 3.5.22.20 or later - upgrade per the CERT@VDE advisory at https://www.certvde.com/en/advisories/VDE-2026-055/. Until the upgrade is rolled out across engineering workstations, restrict administrative installation of CODESYS to dedicated provisioning machines that no untrusted local user can log into, and after installation manually tighten the ACLs on the CODESYS install/working directory to remove write/modify rights for non-administrators (side effect: subsequent component installs may need to be re-run from an elevated session). Where possible, prevent low-privileged users from triggering installs entirely by removing them from local groups that can launch elevated installers, and monitor file integrity on the component manifest path during install windows; avoid leaving partially completed installs on shared multi-user hosts.

Share

CVE-2026-44468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy