Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
The affected products perform improper length checking when parsing incoming HTTP requests, resulting in a size-limited out-of-bounds write. An unauthenticated remote attacker can exploit this flaw to cause a denial of service via a system crash on the affected device.
AnalysisAI
Denial of service in CODESYS Control runtime products and HMI/Toolkit components allows unauthenticated remote attackers to crash affected industrial control systems by sending malformed HTTP requests that trigger a size-limited out-of-bounds write during length parsing. The flaw affects a broad range of CODESYS runtime variants used across PLCs, industrial PCs, and embedded controllers from vendors like Beckhoff, WAGO, and Raspberry Pi-based deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The affected CODESYS runtime's HTTP management/communication interface must be reachable from the attacker's network position - typically TCP port exposure on the controller or industrial PC running CODESYS Control RTE/Win, HMI, Runtime Toolkit, or any Control for X SL variant in the listed version ranges. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VA:H and zero confidentiality/integrity impact aligns with a pure availability denial of service - consistent with the description's crash outcome. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the OT network (or one who has pivoted from IT through a flat or poorly segmented network) sends a single crafted HTTP request with a malformed length field to the CODESYS runtime's exposed port, triggering the out-of-bounds write and crashing the runtime process. Because CODESYS runtimes execute control logic for PLCs and industrial gateways, the crash halts the controlled process - potentially stopping a production line, HVAC system, or safety-adjacent function until the runtime is restarted. … |
| Remediation | Upgrade to CODESYS Control RTE/Win/HMI/Runtime Toolkit version 3.5.22.20 or later for the 3.5.x branch, and to version 4.21.0.0 or later for all Control for X SL products and Virtual Control SL. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all CODESYS Control runtime and HMI/Toolkit instances; prioritize identification of internet-exposed or network-accessible deployments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Codesys Control Rte Sl
View allA vulnerability in CODESYS Control runtime systems allows a low-privileged remote attacker to replace the boot applicati
A format string vulnerability exists in the Audit Log component of CODESYS Control runtime system that allows unauthenti
Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31800
GHSA-x9mr-w23g-rxq7