Beckhoff: Privilege escalation and information leak via Beckhoff Device Manager

Plan Patch8.8VDE-2025-092Jan 27, 2026

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Three vulnerabilities in Beckhoff Device Manager and related packages allow privilege escalation and information disclosure. CVE-2025-41726 allows authenticated remote users to execute arbitrary commands on the device via the web UI or API, sometimes within a privileged process. CVE-2025-41727 allows local low-privilege users to bypass UI authentication and send commands to privileged processes, escalating privileges. CVE-2025-41728 allows authenticated remote users to trigger out-of-bounds memory reads in a service process, potentially leaking sensitive information.

What this means

What could happen

An attacker with valid credentials can execute arbitrary commands on your Beckhoff controller with elevated privileges, disrupting operations or modifying setpoints. A local user without special privileges can escalate to run privileged commands, potentially altering critical automation logic.

Who's at risk

This affects organizations running Beckhoff automation controllers and engineering workstations, particularly those using TwinCAT/BSD or Beckhoff RT Linux-based systems. Water utilities, power plants, manufacturing facilities, and other critical infrastructure using Beckhoff control systems should prioritize patching. Both remote administrative access and local system access are vectors of concern.

How it could be exploited

An attacker with valid credentials accesses the Device Manager web UI or API and sends a crafted request to execute arbitrary commands, which run with the privileges of the Device Manager process (sometimes elevated). Alternatively, a local user with low privileges on the device can craft a request that bypasses the UI authentication mechanism and reaches a privileged service process, which executes commands on their behalf with higher privileges.

Prerequisites

Valid credentials to access the Device Manager web UI or API (for remote exploitation)
Network access to the Device Manager web interface or API endpoint
Local user account on the device (for privilege escalation exploitation)

Remotely exploitableRequires valid credentialsLow complexity attackAffects industrial automation platformsPrivilege escalation capability

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

.Device.Manager.XAR tcpkg package <2.5.3< 2.5.32.5.3

MDP software package for TwinCAT/BSD <1.7.0.0< 1.7.0.01.2.7.0

mdp-bhf software package Beckhoff RT Linux(R) <0.0.5-1< 0.0.5-10.0.5-1

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to the Device Manager web UI to trusted engineering workstations and administrative networks only via firewall rules

HARDENINGDisable or isolate the Device Manager API endpoint if not actively used for remote management

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate .Device.Manager.XAR tcpkg package to version 2.5.3 or later

HOTFIXUpdate MDP software package for TwinCAT/BSD to version 1.2.7.0 or later

HOTFIXUpdate mdp-bhf software package for Beckhoff RT Linux to version 0.0.5-1 or later

Long-term hardening

0/1

HARDENINGImplement strong access controls to limit local user accounts on Beckhoff controllers to only those who require system access

CVEs (3)

CVE-2025-41726 CVE-2025-41727 CVE-2025-41728

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/32f5973c-c957-48b9-87b4-5363d719e9ad