Codesys Control For Beaglebone Sl
Monthly
Denial of service in CODESYS Control runtime products and HMI/Toolkit components allows unauthenticated remote attackers to crash affected industrial control systems by sending malformed HTTP requests that trigger a size-limited out-of-bounds write during length parsing. The flaw affects a broad range of CODESYS runtime variants used across PLCs, industrial PCs, and embedded controllers from vendors like Beckhoff, WAGO, and Raspberry Pi-based deployments. No public exploit identified at time of analysis, EPSS is low (0.07%), but the network-reachable, no-privileges-required attack surface makes this operationally significant for OT environments.
Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20 / 4.21.0.0) allows authenticated low-privileged remote users to delete other accounts, including administrators. Reported by CERT@VDE under advisory VDE-2026-056, with no public exploit identified at time of analysis and a low EPSS score of 0.10% (26th percentile), suggesting limited near-term exploitation likelihood despite the vendor-confirmed authorization flaw.
A format string vulnerability exists in the Audit Log component of CODESYS Control runtime system that allows unauthenticated remote attackers to inject malicious format specifiers into log messages. This affects numerous CODESYS Control products across multiple platforms including Windows, Linux, embedded systems (BeagleBone, Raspberry Pi, PFC100/200), and industrial controllers (Beckhoff CX, WAGO Touch Panels). Exploitation can lead to denial-of-service conditions by crashing the runtime system, with a CVSS score of 7.5 indicating high availability impact.
A vulnerability in CODESYS Control runtime systems allows a low-privileged remote attacker to replace the boot application, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability affects numerous CODESYS Control variants across multiple platforms including Linux, Windows, embedded systems, and industrial controllers. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privileges, this represents a significant threat to industrial control systems and automation environments.
Denial of service in CODESYS Control runtime products and HMI/Toolkit components allows unauthenticated remote attackers to crash affected industrial control systems by sending malformed HTTP requests that trigger a size-limited out-of-bounds write during length parsing. The flaw affects a broad range of CODESYS runtime variants used across PLCs, industrial PCs, and embedded controllers from vendors like Beckhoff, WAGO, and Raspberry Pi-based deployments. No public exploit identified at time of analysis, EPSS is low (0.07%), but the network-reachable, no-privileges-required attack surface makes this operationally significant for OT environments.
Privilege escalation through unauthorized account deletion in CODESYS Control runtime products (versions below 3.5.22.20 / 4.21.0.0) allows authenticated low-privileged remote users to delete other accounts, including administrators. Reported by CERT@VDE under advisory VDE-2026-056, with no public exploit identified at time of analysis and a low EPSS score of 0.10% (26th percentile), suggesting limited near-term exploitation likelihood despite the vendor-confirmed authorization flaw.
A format string vulnerability exists in the Audit Log component of CODESYS Control runtime system that allows unauthenticated remote attackers to inject malicious format specifiers into log messages. This affects numerous CODESYS Control products across multiple platforms including Windows, Linux, embedded systems (BeagleBone, Raspberry Pi, PFC100/200), and industrial controllers (Beckhoff CX, WAGO Touch Panels). Exploitation can lead to denial-of-service conditions by crashing the runtime system, with a CVSS score of 7.5 indicating high availability impact.
A vulnerability in CODESYS Control runtime systems allows a low-privileged remote attacker to replace the boot application, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability affects numerous CODESYS Control variants across multiple platforms including Linux, Windows, embedded systems, and industrial controllers. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privileges, this represents a significant threat to industrial control systems and automation environments.