CODESYS Control - Invalid type usage in visualization

Plan Patch7.5VDE-2025-100Dec 1, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the CODESYS Control runtime's CmpVisuServer component allows remote denial-of-service through an invalid pointer type dereference. When an attacker sends a specially crafted request to the CODESYS Web Visualization server or remote Target Visu, the incorrect memory access causes the runtime to crash. Only systems with the CmpVisuServer component active are affected. For CODESYS Web Visu, the web server must be running, which by default occurs only when the PLC application includes visualization code. This affects CODESYS Control RTE (all variants), Control Win, HMI, Remote Target Visu, Runtime Toolkit, and all platform-specific variants (BeagleBone, Linux, Raspberry Pi, PFC series, PLCnext, Beckhoff CX, WAGO Touch Panels, etc.).

What this means

What could happen

An attacker can crash the CODESYS runtime system by sending a malformed request to the visualization server, causing loss of control over the PLC and temporary shutdown of automated processes until the system is restarted.

Who's at risk

Manufacturing facilities using CODESYS-based control systems should care, including users of PLCs from Phoenix Contact, WAGO, Beckhoff, and operators of any plant running CODESYS Control on industrial platforms (Raspberry Pi, BeagleBone, Linux-based controllers, or dedicated industrial computers). Any production environment relying on visualization-enabled CODESYS runtime systems is at risk.

How it could be exploited

An attacker with network access to the visualization server (port typically 8080 for Web Visu or the remote visualization port) sends a specially crafted request that triggers an incorrect pointer type dereference in CmpVisuServer, causing the runtime to crash and stop executing control logic.

Prerequisites

Network access to the CODESYS Web Visualization server or remote Target Visu port
Web server enabled on the runtime (default only if PLC application includes visualization code)
CmpVisuServer component active in the CODESYS runtime

Remotely exploitableNo authentication requiredLow complexity attackAffects availability of control systemsWide range of industrial platforms affected

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (17)

17 with fix

ProductAffected VersionsFix Status

Control RTE (SL) 3.5.18.0<3.5.21.403.5.18.0<3.5.21.403.5.21.40

Control RTE (for Beckhoff CX) SL 3.5.18.0<3.5.21.403.5.18.0<3.5.21.403.5.21.40

Control Win (SL) 3.5.18.0<3.5.21.403.5.18.0<3.5.21.403.5.21.40

HMI (SL) 3.5.18.0<3.5.21.403.5.18.0<3.5.21.403.5.21.40

Remote Target Visu 3.5.18.0<3.5.21.403.5.18.0<3.5.21.403.5.21.40

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to the CODESYS visualization server ports (typically 8080 for Web Visu) to only authorized engineering workstations and HMI clients

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Control RTE (for Beckhoff CX) SL 3.5.18.0<3.5.21.40

HOTFIXUpdate CODESYS Control RTE (for Beckhoff CX) SL to version 3.5.21.40 or later

All products

HOTFIXUpdate CODESYS Control RTE (SL) to version 3.5.21.40 or later

HOTFIXUpdate CODESYS Control Win (SL), HMI (SL), Remote Target Visu, and Runtime Toolkit to version 3.5.21.40 or later

HOTFIXUpdate CODESYS Control for BeagleBone, emPC-A/iMX6, IOT2000, Linux ARM, Linux, PFC100, PFC200, PLCnext, Raspberry Pi, WAGO Touch Panels 600, and Virtual Control SL to version 4.19.0.0 or later

CVEs (1)

CVE-2025-41738

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d89d5c2b-f701-477e-8e66-aae9d2a2c5e7