CODESYS Control V3 - NULL pointer dereference
Plan Patch7.5VDE-2025-070Aug 4, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the CODESYS Control runtime's CmpDevice component allows unauthenticated attackers to trigger a NULL pointer dereference by sending specially crafted authentication requests. This causes the runtime to crash, resulting in denial of service. The issue affects all PLCs based on the CODESYS Runtime Toolkit containing CmpDevice, CmpAuditLog, and CmpSessionInformation components. Legacy CODESYS clients (prior to version 3.5.16.0) attempting to authenticate can also inadvertently trigger the crash. Affected versions: Control RTE 3.5.21.10 through 3.5.21.19, and Control for various Linux/ARM/edge platforms 4.16.0.0 through 4.16.x.
What this means
What could happen
An attacker can crash a PLC running CODESYS Control by sending specially crafted login requests, stopping production operations until the device is restarted. This denial-of-service affects any system relying on the runtime to control machinery or processes.
Who's at risk
This affects manufacturing operations using CODESYS Control runtime on PLCs from CODESYS, Phoenix Contact, WAGO, and Beckhoff. Any facility relying on these PLCs for process control—including water treatment plants, power distribution, and discrete manufacturing—should prioritize patching. Both traditional Control RTE environments and edge-based variants (Linux, ARM, BeagleBone, Raspberry Pi, PFC controllers) are affected.
How it could be exploited
An attacker on the network sends a specially crafted authentication request to the CODESYS Control runtime's login service (typically port 2455). The malformed request triggers a NULL pointer dereference in the CmpDevice component, causing the runtime to crash. No valid credentials are required. Alternatively, legacy CODESYS clients (pre-3.5.16.0) attempting to authenticate can inadvertently trigger the same crash.
Prerequisites
- Network access to the CODESYS Control runtime (typically port 2455)
- No authentication required to trigger the vulnerability
remotely exploitableno authentication requiredlow complexityaffects operational technologyaffects availability of critical systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (16)
16 with fix
ProductAffected VersionsFix Status
Control RTE (SL) 3.5.21.10 < 3.5.21.203.5.21.10<3.5.21.203.5.21.20
Control RTE (for Beckhoff CX) SL 3.5.21.10 < 3.5.21.203.5.21.10<3.5.21.203.5.21.20
Control Win (SL) 3.5.21.10 < 3.5.21.203.5.21.10<3.5.21.203.5.21.20
HMI (SL) 3.5.21.10 < 3.5.21.203.5.21.10<3.5.21.203.5.21.20
Runtime Toolkit 3.5.21.10 < 3.5.21.203.5.21.10<3.5.21.203.5.21.20
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDIf patching cannot be completed immediately, configure the CODESYS Control runtime to restrict login authentication to ONLY_ASYMMETRIC by editing CODESYSControl.cfg and adding [CmpUserMgr] SECURITY.UserLogin_AuthenticationType=ONLY_ASYMMETRIC
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Control RTE (for Beckhoff CX) SL 3.5.21.10 < 3.5.21.20
HOTFIXUpdate CODESYS Control RTE (SL), Control RTE (for Beckhoff CX) SL, Control Win (SL), HMI (SL), and Runtime Toolkit to version 3.5.21.20
All products
HOTFIXUpdate CODESYS Control for BeagleBone SL, emPC-A/iMX6 SL, IOT2000 SL, Linux ARM SL, Linux SL, PFC100 SL, PFC200 SL, PLCnext SL, Raspberry Pi SL, WAGO Touch Panels 600 SL, and Virtual Control SL to version 4.17.0.0
Long-term hardening
0/1HARDENINGRestrict network access to CODESYS Control runtime ports (typically 2455) to authorized engineering workstations and administrative networks only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/be0e5e6a-eca2-4d96-b997-5dd93d5f5c84