Skip to main content

Codesys Development System

2 CVEs product

Monthly

CVE-2026-44469 HIGH PATCH This Week

Local privilege escalation in CODESYS Development System versions 3.0.0.0 through 3.5.22.19 allows a low-privileged local attacker to win a TOCTOU race condition during administrative installation, swapping verified installer files for malicious ones before they execute with elevated rights. The flaw stems from insecure default permissions on the temporary extraction directory used by the installer. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.01%, 1st percentile).

Privilege Escalation Codesys Development System
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-44468 HIGH PATCH This Week

Local privilege escalation in CODESYS Development System versions 3.0.0.0 through 3.5.22.20 allows low-privileged users on a Windows host to tamper with a temporary component manifest written during administrative installation, forcing deployment of attacker-chosen components with elevated rights. The flaw stems from insecure default permissions (CWE-276) on a directory used during install and was reported by CERT@VDE. EPSS is 0.01% and SSVC reports no observed exploitation, so this is a high-impact but currently low-prevalence local issue.

Privilege Escalation Codesys Development System
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Local privilege escalation in CODESYS Development System versions 3.0.0.0 through 3.5.22.19 allows a low-privileged local attacker to win a TOCTOU race condition during administrative installation, swapping verified installer files for malicious ones before they execute with elevated rights. The flaw stems from insecure default permissions on the temporary extraction directory used by the installer. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.01%, 1st percentile).

Privilege Escalation Codesys Development System
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Local privilege escalation in CODESYS Development System versions 3.0.0.0 through 3.5.22.20 allows low-privileged users on a Windows host to tamper with a temporary component manifest written during administrative installation, forcing deployment of attacker-chosen components with elevated rights. The flaw stems from insecure default permissions (CWE-276) on a directory used during install and was reported by CERT@VDE. EPSS is 0.01% and SSVC reports no observed exploitation, so this is a high-impact but currently low-prevalence local issue.

Privilege Escalation Codesys Development System
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy