CODESYS Control V3 - NULL pointer dereference

Plan PatchCVSS 7.5VDE-2025-070Aug 4, 2025

CODESYSPhoenix ContactWAGOBeckhoffManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A NULL pointer dereference vulnerability exists in the CODESYS Control runtime CmpDevice component. Unauthenticated attackers can send specially crafted network requests to crash the runtime and stop industrial operations. The vulnerability also affects legacy CODESYS clients (versions prior to 3.5.16.0) attempting to log in. Patches are available for all affected CODESYS Control variants. As a temporary mitigation, restrict the login authentication type to asymmetric only via the CODESYSControl.cfg configuration file.

What this means

What could happen

An attacker can crash a CODESYS Control runtime system and shut down operations by sending specially crafted network requests, causing a denial-of-service condition with no authentication required.

Who's at risk

Manufacturing facilities using CODESYS Control runtimes (including those deployed on Beckhoff CX systems, WAGO PLCs, Linux-based industrial controllers, and Raspberry Pi/BeagleBone edge controllers). This impacts any operation running CODESYS-based automation logic.

How it could be exploited

An attacker sends malformed communication requests to the CODESYS Control runtime over the network. The CmpDevice component processes these requests without proper validation, triggering a NULL pointer dereference that crashes the runtime and halts any industrial processes running under its control.

Prerequisites

Network access to CODESYS Control runtime port (typically 11740)
No credentials required
Vulnerable CODESYS Control version installed and running

remotely exploitableno authentication requiredlow complexitycauses denial of serviceaffects industrial automation controls

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

Control RTE (SL) 3.5.21.10 < 3.5.21.203.5.21.10<3.5.21.203.5.21.20

Control RTE (for Beckhoff CX) SL 3.5.21.10 < 3.5.21.203.5.21.10<3.5.21.203.5.21.20

Control Win (SL) 3.5.21.10 < 3.5.21.203.5.21.10<3.5.21.203.5.21.20

HMI (SL) 3.5.21.10 < 3.5.21.203.5.21.10<3.5.21.203.5.21.20

Runtime Toolkit 3.5.21.10 < 3.5.21.203.5.21.10<3.5.21.203.5.21.20

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDAs an immediate workaround before patching, configure the CODESYS Control runtime to accept only asymmetric authentication by setting 'SECURITY.UserLogin_AuthenticationType=ONLY_ASYMMETRIC' in the CODESYSControl.cfg configuration file

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Control RTE (for Beckhoff CX) SL 3.5.21.10 < 3.5.21.20

HOTFIXUpdate CODESYS Control RTE (SL), Control RTE (for Beckhoff CX) SL, Control Win (SL), HMI (SL), and Runtime Toolkit to version 3.5.21.20 or later

All products

HOTFIXUpdate CODESYS Control for BeagleBone SL, emPC-A/iMX6 SL, IOT2000 SL, Linux ARM SL, Linux SL, PFC100 SL, PFC200 SL, PLCnext SL, Raspberry Pi SL, WAGO Touch Panels 600 SL, and Virtual Control SL to version 4.17.0.0 or later

Long-term hardening

0/1

HARDENINGRestrict network access to CODESYS Control runtime ports to only authorized engineering workstations and management systems

CVEs (1)

CVE-2025-41691

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/be0e5e6a-eca2-4d96-b997-5dd93d5f5c84

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.