Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.
AnalysisAI
A vulnerability in CODESYS Control runtime systems allows a low-privileged remote attacker to replace the boot application, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability affects numerous CODESYS Control variants across multiple platforms including Linux, Windows, embedded systems, and industrial controllers. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privileges, this represents a significant threat to industrial control systems and automation environments.
Technical ContextAI
CODESYS Control is a widely-deployed runtime system for programmable logic controllers (PLCs) and industrial automation devices. This vulnerability stems from CWE-669 (Incorrect Resource Transfer Between Spheres), indicating improper isolation or validation when handling boot application components. The affected products span the entire CODESYS ecosystem including Control RTE (Runtime Environment), Control Win, HMI, and Runtime Toolkit, as well as platform-specific implementations for Beckhoff CX controllers, BeagleBone, Raspberry Pi, WAGO Touch Panels, Linux ARM systems, IOT2000 devices, and PLCNext controllers. The boot application replacement mechanism lacks sufficient authorization checks, allowing authenticated users with low privileges to substitute legitimate boot code with malicious payloads that execute during system startup with elevated privileges.
RemediationAI
Organizations should immediately consult the CERT@VDE advisory at https://certvde.com/de/advisories/VDE-2026-011 for specific patching guidance and affected version details from CODESYS. Apply vendor-provided security updates as soon as they become available for all affected CODESYS Control runtime installations. Until patches can be deployed, implement compensating controls including restricting network access to CODESYS runtime systems using firewall rules that permit connections only from authorized engineering workstations and management systems, enforcing strong authentication with multi-factor authentication where possible, conducting audits of user privilege assignments to ensure least-privilege principles, monitoring for unauthorized boot application modifications through file integrity monitoring, and disabling remote access capabilities if not operationally required. Consider network segmentation to isolate industrial control systems from corporate networks and the internet.
More in Codesys Control Rte Sl
View allDenial of service in CODESYS Control runtime products and HMI/Toolkit components allows unauthenticated remote attackers
A format string vulnerability exists in the Audit Log component of CODESYS Control runtime system that allows unauthenti
Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208957
GHSA-25xg-52c8-p9q8