Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.
AnalysisAI
A format string vulnerability exists in the Audit Log component of CODESYS Control runtime system that allows unauthenticated remote attackers to inject malicious format specifiers into log messages. This affects numerous CODESYS Control products across multiple platforms including Windows, Linux, embedded systems (BeagleBone, Raspberry Pi, PFC100/200), and industrial controllers (Beckhoff CX, WAGO Touch Panels). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires CODESYS Control runtime system with Audit Log enabled and accessible over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates this is a network-exploitable vulnerability requiring low attack complexity with no authentication, making it highly accessible to attackers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker on the network identifies a CODESYS Control runtime system with accessible audit logging functionality, then crafts malicious network requests containing format string specifiers (such as %n, %s, or multiple %x sequences) that are processed by the audit log mechanism. When the CODESYS runtime processes these malicious format strings during log generation, the vulnerability triggers memory corruption or an exception condition that crashes the control runtime, causing a denial-of-service that halts industrial automation processes. … |
| Remediation | Consult the CERT@VDE security advisory VDE-2026-018 at https://certvde.com/de/advisories/VDE-2026-018 for vendor-provided patches and specific version updates that address this format string vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all CODESYS Control installations in your environment using asset inventory and network scanning; notify relevant operations and engineering teams of exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Codesys Control Rte Sl
View allA vulnerability in CODESYS Control runtime systems allows a low-privileged remote attacker to replace the boot applicati
Denial of service in CODESYS Control runtime products and HMI/Toolkit components allows unauthenticated remote attackers
Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20
Same weakness CWE-134 – Use of Externally-Controlled Format String
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14784
GHSA-34rr-qp2j-p4q7