Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges.
AnalysisAI
Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20 / 4.21.0.0) allows authenticated low-privileged remote users to delete other accounts, including administrators. Reported by CERT@VDE under advisory VDE-2026-056, with no public exploit identified at time of analysis and a low EPSS score of 0.10% (26th percentile), suggesting limited near-term exploitation likelihood despite the vendor-confirmed authorization flaw.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold valid credentials for a low-privileged user account on the CODESYS runtime (PR:L) and have network reachability to the runtime's management service, typically the CODESYS V3 communication channel on the controller. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 7.2 (AV:N/AC:L/AT:N/PR:L/UI:N) reflects network-reachable exploitation by an already-authenticated low-privileged user with no user interaction, yielding high integrity and availability impact (VI:H/VA:H) but no confidentiality loss - consistent with destructive account tampering rather than data theft. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been issued any low-privileged CODESYS runtime account (for example, a maintenance or read-only operator role) connects over the network to the runtime's user-management interface and issues a delete-user request targeting the administrator account; the runtime authenticates the caller but fails to authorize the action and removes the admin. The result is loss of legitimate administrative control of the PLC/HMI, which in ICS contexts may require on-site recovery and halt production. … |
| Remediation | Apply the vendor-released patches: upgrade the 3.5.x runtime products (Control Win SL, HMI SL, Runtime Toolkit, Control RTE SL, Control RTE for Beckhoff CX SL) to 3.5.22.20 or later, and upgrade the 4.x SL runtimes (Control for PLCnext, Linux, Linux ARM, Virtual Control, emPC-A/iMX6, WAGO Touch Panels 600, BeagleBone, Raspberry Pi, PFC200, PFC100, IOT2000) to 4.21.0.0 or later as listed in CERT@VDE advisory VDE-2026-056 (https://www.certvde.com/en/advisories/VDE-2026-056/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all CODESYS Control deployments and identify systems running versions below 3.5.22.20 (3.x branch) or below 4.21.0.0 (4.x branch). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Codesys Control Rte Sl
View allA vulnerability in CODESYS Control runtime systems allows a low-privileged remote attacker to replace the boot applicati
Denial of service in CODESYS Control runtime products and HMI/Toolkit components allows unauthenticated remote attackers
A format string vulnerability exists in the Audit Log component of CODESYS Control runtime system that allows unauthenti
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31799
GHSA-h6mv-mgpj-6795