Skip to main content

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 09:21 vuln.today
CVSS changed
May 26, 2026 - 13:37 NVD
7.5 (HIGH) 8.7 (HIGH)
Patch available
May 26, 2026 - 09:01 EUVD
CVE Published
May 26, 2026 - 06:49 nvd
HIGH 8.7

DescriptionCVE.org

The affected products perform improper length checking when parsing incoming HTTP requests, resulting in a size-limited out-of-bounds write. An unauthenticated remote attacker can exploit this flaw to cause a denial of service via a system crash on the affected device.

AnalysisAI

Denial of service in CODESYS Control runtime products and HMI/Toolkit components allows unauthenticated remote attackers to crash affected industrial control systems by sending malformed HTTP requests that trigger a size-limited out-of-bounds write during length parsing. The flaw affects a broad range of CODESYS runtime variants used across PLCs, industrial PCs, and embedded controllers from vendors like Beckhoff, WAGO, and Raspberry Pi-based deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed CODESYS runtime port
Delivery
Craft malformed-length HTTP request
Exploit
Send to runtime HTTP interface
Execution
Trigger out-of-bounds write in parser
Persist
Crash runtime process
Impact
Halt PLC control logic and physical process

Vulnerability AssessmentAI

Exploitation The affected CODESYS runtime's HTTP management/communication interface must be reachable from the attacker's network position - typically TCP port exposure on the controller or industrial PC running CODESYS Control RTE/Win, HMI, Runtime Toolkit, or any Control for X SL variant in the listed version ranges. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VA:H and zero confidentiality/integrity impact aligns with a pure availability denial of service - consistent with the description's crash outcome. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the OT network (or one who has pivoted from IT through a flat or poorly segmented network) sends a single crafted HTTP request with a malformed length field to the CODESYS runtime's exposed port, triggering the out-of-bounds write and crashing the runtime process. Because CODESYS runtimes execute control logic for PLCs and industrial gateways, the crash halts the controlled process - potentially stopping a production line, HVAC system, or safety-adjacent function until the runtime is restarted. …
Remediation Upgrade to CODESYS Control RTE/Win/HMI/Runtime Toolkit version 3.5.22.20 or later for the 3.5.x branch, and to version 4.21.0.0 or later for all Control for X SL products and Virtual Control SL. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all CODESYS Control runtime and HMI/Toolkit instances; prioritize identification of internet-exposed or network-accessible deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-31800 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy