OTPulse

Beckhoff: Privilege escalation and information leak via Beckhoff Device Manager

Plan PatchCVSS 8.8VDE-2025-092Jan 27, 2026
Beckhoff
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Three related vulnerabilities in Beckhoff Device Manager and associated software packages allow authenticated remote users to execute arbitrary commands with elevated privileges (CVE-2025-41726), local low-privilege users to escalate privileges and execute commands as a privileged process (CVE-2025-41727), and authenticated users to trigger out-of-bounds memory reads that leak sensitive information from device processes (CVE-2025-41728). The vulnerabilities affect .Device.Manager.XAR tcpkg package versions before 2.5.3, MDP software for TwinCAT/BSD before 1.7.0.0, and mdp-bhf for Beckhoff RT Linux before 0.0.5-1.

What this means
What could happen
An authenticated attacker could execute arbitrary commands on Beckhoff industrial controllers with elevated privileges, potentially altering production logic, stopping processes, or modifying control parameters. Additionally, unprivileged local users could escalate privileges to run commands in privileged processes, and authenticated attackers could leak sensitive information from device memory.
Who's at risk
This affects Beckhoff TwinCAT industrial automation controllers and related runtime systems used in manufacturing plants, process control systems, and critical infrastructure. Plant engineers, automation contractors, and facility operators managing Beckhoff-based control systems should prioritize patching.
How it could be exploited
An attacker with valid credentials can send specially crafted commands to Beckhoff Device Manager via the web UI or API to execute arbitrary code with elevated privileges. A local user with low-privilege access can bypass the UI authentication mechanism and send commands directly to the privileged service, causing those commands to execute with higher privileges. An authenticated remote user can trigger an out-of-bounds read in a service process to leak sensitive data from memory.
Prerequisites
  • Valid credentials (username/password) for remote web UI or API access
  • Network access to the Beckhoff Device Manager service (typically port 443 or 8080)
  • Local system access for privilege escalation variant
remotely exploitablelow complexityauthentication required for initial remote exploitationlocal privilege escalation path without authenticationaffects industrial control systemsinformation disclosure possible
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
.Device.Manager.XAR tcpkg package <2.5.3< 2.5.32.5.3
MDP software package for TwinCAT/BSD <1.7.0.0< 1.7.0.01.2.7.0
mdp-bhf software package Beckhoff RT Linux(R) <0.0.5-1< 0.0.5-10.0.5-1
Remediation & Mitigation
0/6
Do now
0/1
WORKAROUNDRestrict network access to Beckhoff Device Manager ports to only authorized engineering workstations and control systems
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate .Device.Manager.XAR tcpkg package to version 2.5.3 or later
HOTFIXUpdate MDP software package for TwinCAT/BSD to version 1.7.0.0 or later
HOTFIXUpdate mdp-bhf software package for Beckhoff RT Linux to version 0.0.5-1 or later
Long-term hardening
0/2
HARDENINGDisable or limit remote API access to the Device Manager if not actively required for operations
HARDENINGImplement strong password policies for Device Manager user accounts and regularly audit active user sessions
View full CERT@VDE advisory
API: /api/v1/advisories/32f5973c-c957-48b9-87b4-5363d719e9ad

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Beckhoff: Privilege escalation and information leak via Beckhoff Device Manager | CVSS 8.8 - OTPulse