OTPulse

Beckhoff: Deserialization of untrusted data by TwinCAT 3 Engineering

Plan PatchCVSS 7.8VDE-2025-075Sep 9, 2025
CODESYSBeckhoff
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Beckhoff TwinCAT 3 Engineering contains an unsafe deserialization vulnerability in Solution User Options (.suo) files. When an engineer opens a TwinCAT project containing a maliciously crafted .suo file, arbitrary commands are executed in the user's context. The vulnerability exists because .suo files are automatically deserialized without validation when projects are opened. This is similar to historical CVE issues in CODESYS Development System V3 (CVE-2021-21864 through CVE-2021-21869).

What this means
What could happen
An attacker could craft a malicious .suo settings file that executes arbitrary commands on an engineer's workstation when they open a TwinCAT project, allowing compromise of the engineering environment and potentially the automation projects themselves.
Who's at risk
Engineering teams using Beckhoff TwinCAT 3 Engineering for IEC 61131-3 automation project development, particularly those who share projects across workstations or via source control systems. This affects individuals responsible for creating and maintaining PLC/industrial control logic.
How it could be exploited
An attacker places a crafted .suo (Solution User Options) file in a TwinCAT 3 project folder or sends the project to an engineer. When the engineer opens the project in TwinCAT 3 Engineering, the malicious .suo file is automatically deserialized and the embedded commands execute in the engineer's user context.
Prerequisites
  • Local access to the project folder on the engineer's workstation or ability to deliver a malicious project file to the engineer
  • The engineer must open the compromised TwinCAT 3 project in an affected version of TwinCAT 3 Engineering
Arbitrary command execution in user contextLow complexity attackRequires user interaction (opening project)Affects engineering/development environment
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
TE1000 | TwinCAT 3 Enineering <3.1.4024.67<3.1.4024.673.1.4024.67
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDReview and remove any .suo (Solution User Options) files from shared project repositories or source control systems, as these files are not intended to be version-controlled
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT 3 Engineering to version 3.1.4024.67 or later
HARDENINGUninstall all older versions of TwinCAT 3 Engineering from engineering workstations
HARDENINGRemove any pinned or locked configurations in TwinCAT Remote Manager that enforce use of older TwinCAT 3 Engineering versions
View full CERT@VDE advisory
API: /api/v1/advisories/0f4f0123-3720-4200-a9ff-c29086be1809

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Beckhoff: Deserialization of untrusted data by TwinCAT 3 Engineering | CVSS 7.8 - OTPulse