Skip to main content

CODESYS Development System CVE-2026-44469

| EUVDEUVD-2026-31797 HIGH
Incorrect Default Permissions (CWE-276)
2026-05-26 CERTVDE GHSA-fhx5-27vm-6mqj
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 10:20 vuln.today
CVSS changed
May 26, 2026 - 13:37 NVD
7.8 (HIGH) 8.5 (HIGH)
Patch available
May 26, 2026 - 09:01 EUVD

DescriptionCVE.org

The affected product extracts installation files to a temporary directory with incorrect default permissions during administrative installation. A low-privileged local attacker can exploit a TOCTOU race condition with a practical time window to replace verified files with malicious ones before installation, resulting in local privilege escalation.

AnalysisAI

Local privilege escalation in CODESYS Development System versions 3.0.0.0 through 3.5.22.19 allows a low-privileged local attacker to win a TOCTOU race condition during administrative installation, swapping verified installer files for malicious ones before they execute with elevated rights. The flaw stems from insecure default permissions on the temporary extraction directory used by the installer. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.01%, 1st percentile).

Technical ContextAI

CODESYS Development System is the integrated development environment used to program IEC 61131-3 PLCs across many industrial automation vendors, so it is widely deployed on engineering workstations in OT/ICS environments (CPE: cpe:2.3:a:codesys:codesys_development_system). The root cause is CWE-276 (Incorrect Default Permissions): during administrative install, the installer extracts files to a temp directory that is writable by lower-privileged users, creating a time-of-check-to-time-of-use (TOCTOU) gap between signature/integrity validation and execution. Because the installer ultimately runs the extracted binaries with administrator privileges, an attacker who wins the race substitutes attacker-controlled code into the elevated execution path.

RemediationAI

Vendor-released patch: upgrade CODESYS Development System to 3.5.22.20 or later, as documented in the CERT@VDE advisory VDE-2026-055 (https://www.certvde.com/en/advisories/VDE-2026-055/). Until the upgrade can be deployed, only perform installations from accounts where no other low-privileged users are concurrently logged on the same host, and restrict interactive logon to engineering workstations so that an attacker cannot pre-position a process that races the installer; on shared workstations, harden the default ACL of the system temp directory (e.g., remove write access for non-administrative users) - note this can break other installers and applications that legitimately use per-user temp paths, so test before broad rollout. Application allowlisting (e.g., WDAC/AppLocker) on the engineering workstation will not stop the elevation by itself because the installer is trusted, but it reduces the value of a successful escalation by limiting what attacker-supplied binaries can run.

Share

CVE-2026-44469 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy