CODESYS Control - Linux/QNX SysSocket flaw
Monitor5.9VDE-2025-099Dec 1, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A flaw exists in the SysSocket implementation of the CODESYS Control runtime abstraction layer for Linux and QNX. Due to incorrect internal handling, an out-of-bounds read can occur depending on how the caller interacts with the affected function. An unauthenticated attacker may exploit this via socket-based communication to crash the communication task or affect clients like PLCHandler that connect to a malicious server. Successful exploitation requires winning a race condition. All other platforms (Windows, etc.) are not affected.
What this means
What could happen
An attacker could crash the communication task on a CODESYS-based PLC or engineering workstation running on Linux or QNX by sending malformed socket data, disrupting control operations or engineering access. The attack requires winning a race condition, making it difficult but not impossible to execute.
Who's at risk
Manufacturers using CODESYS Control on Linux and QNX platforms, including those deploying it on industrial controllers (WAGO PFC, Siemens IOT2000, Raspberry Pi, BeagleBone), engineering workstations running PLCHandler or visualization tools, and edge gateways. Phoenix Contact and WAGO branded products built on CODESYS are also affected.
How it could be exploited
An unauthenticated attacker with network access to the CODESYS socket communication port sends specially crafted socket data that triggers an out-of-bounds read in the SysSocket implementation. The attacker must exploit a race condition in the code path to cause a crash of the communication task. Alternatively, a malicious server could trigger the flaw if the CODESYS client connects to it.
Prerequisites
- Network access to the CODESYS socket communication port
- Ability to send raw socket traffic to the affected device
- Successful race condition exploitation (increases attack complexity)
remotely exploitableno authentication requiredaffects availability (crash)requires race condition (increases complexity)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (16)
16 with fix
ProductAffected VersionsFix Status
PLCHandler 3.5.21.0<3.5.21.403.5.21.0<3.5.21.403.5.21.40
Remote Target Visu 3.5.21.0<3.5.21.403.5.21.0<3.5.21.403.5.21.40
Runtime Toolkit 3.5.21.0<3.5.21.403.5.21.0<3.5.21.403.5.21.40
Control for BeagleBone SL 4.15.0.0<4.19.0.04.15.0.0<4.19.0.04.19.0.0
Control for emPC-A/iMX6 SL 4.15.0.0<4.19.0.04.15.0.0<4.19.0.04.19.0.0
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDAs an interim workaround before patching, add LinuxSelectPoll=1 to the [SysSocket] section of CODESYSControl.cfg to revert to select()-based socket handling
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate PLCHandler, Remote Target Visu, and Runtime Toolkit to version 3.5.21.40 or later
HOTFIXUpdate all CODESYS Control for [platform] products (BeagleBone, emPC-A/iMX6, IOT2000, Linux ARM, Linux, PFC100, PFC200, PLCnext, Raspberry Pi, WAGO Touch Panels 600) to version 4.19.0.0 or later
HOTFIXUpdate CODESYS Edge Gateway for Linux and TargetVisu for Linux SL to version 4.19.0.0 or later
HOTFIXUpdate CODESYS Virtual Control SL to version 4.19.0.0 or later
Long-term hardening
0/1HARDENINGRestrict network access to CODESYS socket communication ports using firewall rules to limit connections from trusted engineering and control networks only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4d666528-d7b8-4b07-b287-f8486d89524c