OTPulse
FeedAboutContact

Beckhoff: Deserialization of untrusted data by TwinCAT 3 Engineering

Plan Patch7.8VDE-2025-075Sep 9, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Beckhoff TwinCAT 3 Engineering deserializes untrusted data from Solution User Options (.suo) files without proper validation. When a user opens a project containing a maliciously crafted .suo file, arbitrary commands are executed in the user's context. This affects TwinCAT 3 Engineering versions before 3.1.4024.67.

What this means
What could happen
An attacker could execute arbitrary commands on an engineering workstation running TwinCAT 3 Engineering, potentially allowing them to modify automation projects, steal credentials, or compromise the integrity of control system configurations before they are deployed to field devices.
Who's at risk
Engineering teams at water authorities and utilities that use Beckhoff TwinCAT 3 for automation project development. This affects any workstation or engineering server running TwinCAT 3 Engineering versions before 3.1.4024.67, including those used for PLC/PAC programming, HMI development, and system configuration.
How it could be exploited
An attacker creates a malicious .suo file within a TwinCAT 3 project folder or project archive and tricks a user into opening the project with TwinCAT 3 Engineering. When the project is opened, the crafted .suo file is deserialized and the embedded commands execute automatically in the user's context. Delivery could be via email, shared repository, or USB.
Prerequisites
  • User must open a TwinCAT 3 project containing a maliciously crafted .suo file
  • User must be running an affected version of TwinCAT 3 Engineering (before 3.1.4024.67)
  • No authentication or special privileges required beyond normal user account
Actively exploited in the wild (similar vulnerabilities were exploited for CODESYS products)Low complexity attackNo authentication requiredUser interaction required but plausible via social engineeringCould lead to compromise of engineering credentials and automation project integrity
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
TE1000 | TwinCAT 3 Enineering <3.1.4024.67<3.1.4024.673.1.4024.67
Remediation & Mitigation
0/5
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT 3 Engineering to version 3.1.4024.67 or later
HARDENINGUninstall all older versions of TwinCAT 3 Engineering from engineering workstations
HARDENINGRemove version pinning constraints in TwinCAT 3 projects that force use of older Engineering versions
HARDENINGVerify that TwinCAT 3 Engineering Remote Manager installations are running the current version, not legacy versions
Long-term hardening
0/1
HARDENINGDo not commit .suo files to source control repositories; ensure they are added to .gitignore or equivalent exclusion list
View full CERT@VDE advisory
API: /api/v1/advisories/0f4f0123-3720-4200-a9ff-c29086be1809
Beckhoff: Deserialization of untrusted data by TwinCAT 3 Engineering | CVSS 7.8 - OTPulse