CODESYS Control - Invalid type usage in visualization

Plan PatchCVSS 7.5VDE-2025-100Dec 1, 2025

CODESYSPhoenix ContactWAGOBeckhoffManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the CODESYS Control runtime system's CmpVisuServer component allows remote attackers to cause a denial-of-service (DoS) condition by sending a specially crafted request to the CODESYS Web Visualization or Remote Target Visualization service. The vulnerability is triggered by an internal memory access using a pointer of the wrong type, causing the runtime to crash. Only CODESYS Control runtime systems and PLCs based on the CODESYS Runtime Toolkit that include the CmpVisuServer component are affected. For Web Visualization, exploitation requires the web server to be running, which depends on the PLC's startup configuration and whether application code includes a visualization.

What this means

What could happen

An attacker can crash a PLC or control system running vulnerable CODESYS visualization components by sending a specially crafted request, causing the industrial process to stop until the device is rebooted.

Who's at risk

Manufacturing facilities using CODESYS-based PLCs and control systems from Beckhoff, WAGO, Phoenix Contact, and other CODESYS-licensed vendors. Specifically impacts any facility running Control RTE, Control Win, HMI, Remote Target Visualization, or Runtime Toolkit with visualization functionality enabled.

How it could be exploited

An attacker with network access to the CODESYS Web Visualization or Remote Target Visualization component (typically listening on port 8080 or similar) sends a malformed request that triggers an invalid memory access in the CmpVisuServer component, causing the runtime to crash. No authentication is required.

Prerequisites

Network access to the CODESYS Web Visualization service port (default port 8080)
The PLC or control device must be running affected versions of CODESYS Control or Runtime Toolkit with visualization enabled
The visualization web server must be active (enabled in the PLC's startup configuration)

remotely exploitableno authentication requiredlow complexityaffects availability (denial of service)impacts critical industrial control systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (17)

17 with fix

ProductAffected VersionsFix Status

Control RTE (SL) 3.5.18.0<3.5.21.403.5.18.0<3.5.21.403.5.21.40

Control RTE (for Beckhoff CX) SL 3.5.18.0<3.5.21.403.5.18.0<3.5.21.403.5.21.40

Control Win (SL) 3.5.18.0<3.5.21.403.5.18.0<3.5.21.403.5.21.40

HMI (SL) 3.5.18.0<3.5.21.403.5.18.0<3.5.21.403.5.21.40

Remote Target Visu 3.5.18.0<3.5.21.403.5.18.0<3.5.21.403.5.21.40

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDIf visualization is not required for your process, disable the CODESYS Web Visualization service in the PLC startup configuration to prevent exposure

HARDENINGRestrict network access to the CODESYS visualization service port using a firewall; limit access to only authorized engineering workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Control RTE (for Beckhoff CX) SL 3.5.18.0<3.5.21.40

HOTFIXUpdate CODESYS Control RTE (SL), Control RTE for Beckhoff CX, Control Win (SL), HMI (SL), Remote Target Visu, and Runtime Toolkit to version 3.5.21.40 or later

All products

HOTFIXUpdate CODESYS Control products for BeagleBone, emPC-A/iMX6, IOT2000, Linux ARM, Linux, PFC100, PFC200, PLCnext, Raspberry Pi, WAGO Touch Panels 600, and Virtual Control to version 4.19.0.0 or later

CVEs (1)

CVE-2025-41738

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d89d5c2b-f701-477e-8e66-aae9d2a2c5e7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.