CODESYS Control - Linux/QNX SysSocket flaw

MonitorCVSS 5.9VDE-2025-099Dec 1, 2025

CODESYSPhoenix ContactWAGOManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A flaw exists in the SysSocket implementation of the CODESYS Control runtime abstraction layer on Linux and QNX systems. The vulnerability is caused by incorrect internal handling and can lead to an out-of-bounds memory read. An unauthenticated attacker can exploit this vulnerability via socket-based communication by sending a specially crafted message and winning a race condition, potentially causing a crash of the communication task. This affects the CODESYS runtime itself and client applications such as PLCHandler running on Linux or QNX that connect to a malicious server.

What this means

What could happen

An attacker could crash the CODESYS runtime or client application by exploiting a memory read flaw in socket communication, causing operational downtime. If successful, this could interrupt control logic execution on PLCs and edge devices running Linux or QNX.

Who's at risk

Manufacturing and facility automation organizations using CODESYS runtime environments on Linux or QNX platforms, including those operating edge gateways, remote visualization systems, industrial PLCs (BeagleBone, Raspberry Pi, PFC, PLCnext series), and IIoT devices. Particularly affects organizations running CODESYS on commodity platforms like Raspberry Pi or WAGO controllers.

How it could be exploited

An unauthenticated attacker sends a specially crafted socket message to a vulnerable CODESYS runtime or client (like PLCHandler on Linux/QNX). By winning a race condition during the socket handling, the attacker triggers an out-of-bounds memory read in the SysSocket implementation, crashing the communication task and halting the associated application.

Prerequisites

Network access to the socket port used by CODESYS Control or client applications
The target device runs a vulnerable version on Linux or QNX operating system
Attacker must win a race condition during socket communication (increases attack complexity)

remotely exploitableno authentication requiredaffects runtime control systemsrequires race condition (moderate complexity)Linux and QNX platforms only

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

PLCHandler 3.5.21.0<3.5.21.403.5.21.0<3.5.21.403.5.21.40

Remote Target Visu 3.5.21.0<3.5.21.403.5.21.0<3.5.21.403.5.21.40

Runtime Toolkit 3.5.21.0<3.5.21.403.5.21.0<3.5.21.403.5.21.40

Control for BeagleBone SL 4.15.0.0<4.19.0.04.15.0.0<4.19.0.04.19.0.0

Control for emPC-A/iMX6 SL 4.15.0.0<4.19.0.04.15.0.0<4.19.0.04.19.0.0

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDAs a temporary workaround, add LinuxSelectPoll=1 to the [SysSocket] section of the CODESYSControl.cfg configuration file to revert to select()-based socket handling until patches can be applied

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS PLCHandler, Remote Target Visu, and Runtime Toolkit to version 3.5.21.40 or later

HOTFIXUpdate CODESYS Control products (BeagleBone SL, emPC-A/iMX6 SL, IOT2000 SL, Linux ARM SL, Linux SL, PFC100 SL, PFC200 SL, PLCnext SL, Raspberry Pi SL, WAGO Touch Panels 600 SL, Edge Gateway for Linux, TargetVisu for Linux SL, Virtual Control SL) to version 4.19.0.0 or later

Long-term hardening

0/1

HARDENINGRestrict network access to CODESYS socket communication ports using firewall rules to only trusted engineering and control networks

CVEs (1)

CVE-2025-41739

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4d666528-d7b8-4b07-b287-f8486d89524c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.