Skip to main content

Severity by source

NVD PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 09:21 vuln.today
CVSS changed
May 26, 2026 - 13:37 NVD
8.1 (HIGH) 7.2 (HIGH)
Patch available
May 26, 2026 - 09:01 EUVD
CVE Published
May 26, 2026 - 06:45 nvd
HIGH 7.2

DescriptionCVE.org

The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges.

AnalysisAI

Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20 / 4.21.0.0) allows authenticated low-privileged remote users to delete other accounts, including administrators. Reported by CERT@VDE under advisory VDE-2026-056, with no public exploit identified at time of analysis and a low EPSS score of 0.10% (26th percentile), suggesting limited near-term exploitation likelihood despite the vendor-confirmed authorization flaw.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged runtime credentials
Delivery
Reach CODESYS runtime over network
Exploit
Authenticate to user-management service
Execution
Submit delete-user request for admin account
Persist
Authorization check bypassed, admin removed
Impact
Loss of administrative control over PLC/HMI

Vulnerability AssessmentAI

Exploitation Attacker must hold valid credentials for a low-privileged user account on the CODESYS runtime (PR:L) and have network reachability to the runtime's management service, typically the CODESYS V3 communication channel on the controller. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 7.2 (AV:N/AC:L/AT:N/PR:L/UI:N) reflects network-reachable exploitation by an already-authenticated low-privileged user with no user interaction, yielding high integrity and availability impact (VI:H/VA:H) but no confidentiality loss - consistent with destructive account tampering rather than data theft. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been issued any low-privileged CODESYS runtime account (for example, a maintenance or read-only operator role) connects over the network to the runtime's user-management interface and issues a delete-user request targeting the administrator account; the runtime authenticates the caller but fails to authorize the action and removes the admin. The result is loss of legitimate administrative control of the PLC/HMI, which in ICS contexts may require on-site recovery and halt production. …
Remediation Apply the vendor-released patches: upgrade the 3.5.x runtime products (Control Win SL, HMI SL, Runtime Toolkit, Control RTE SL, Control RTE for Beckhoff CX SL) to 3.5.22.20 or later, and upgrade the 4.x SL runtimes (Control for PLCnext, Linux, Linux ARM, Virtual Control, emPC-A/iMX6, WAGO Touch Panels 600, BeagleBone, Raspberry Pi, PFC200, PFC100, IOT2000) to 4.21.0.0 or later as listed in CERT@VDE advisory VDE-2026-056 (https://www.certvde.com/en/advisories/VDE-2026-056/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all CODESYS Control deployments and identify systems running versions below 3.5.22.20 (3.x branch) or below 4.21.0.0 (4.x branch). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-31799 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy