Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The affected product creates a directory with insecure default permissions during administrative installation. This allows a low-privileged local attacker to modify a temporary file defining the components to be installed, enabling local privilege escalation by forcing the deployment of arbitrary components.
AnalysisAI
Local privilege escalation in CODESYS Development System versions 3.0.0.0 through 3.5.22.20 allows low-privileged users on a Windows host to tamper with a temporary component manifest written during administrative installation, forcing deployment of attacker-chosen components with elevated rights. The flaw stems from insecure default permissions (CWE-276) on a directory used during install and was reported by CERT@VDE. EPSS is 0.01% and SSVC reports no observed exploitation, so this is a high-impact but currently low-prevalence local issue.
Technical ContextAI
CODESYS Development System is the IEC 61131-3 engineering workstation used to program PLCs and industrial controllers across many OEM brands (Beckhoff, Wago, Schneider OEMs, etc.), so it is commonly deployed on engineering laptops in OT environments. During administrative installation the installer creates a working directory with overly permissive default ACLs (CWE-276 - Incorrect Default Permissions); a temporary file inside this directory describes which components will be installed. Because the directory inherits world-writable or user-writable permissions, an unprivileged local account can race or pre-position a modified manifest before the elevated installer consumes it, causing it to deploy arbitrary components in the SYSTEM/admin context.
RemediationAI
Vendor-released patch: CODESYS Development System 3.5.22.20 or later - upgrade per the CERT@VDE advisory at https://www.certvde.com/en/advisories/VDE-2026-055/. Until the upgrade is rolled out across engineering workstations, restrict administrative installation of CODESYS to dedicated provisioning machines that no untrusted local user can log into, and after installation manually tighten the ACLs on the CODESYS install/working directory to remove write/modify rights for non-administrators (side effect: subsequent component installs may need to be re-run from an elevated session). Where possible, prevent low-privileged users from triggering installs entirely by removing them from local groups that can launch elevated installers, and monitor file integrity on the component manifest path during install windows; avoid leaving partially completed installs on shared multi-user hosts.
More in Codesys Development System
View allSame weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31798
GHSA-x347-p9xc-q762