CODESYS Development System - Deserialization of Untrusted Data

Plan Patch7.8VDE-2025-101Dec 1, 2025

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A deserialization vulnerability exists in the CODESYS Development System print engine. When a user opens a maliciously crafted CODESYS project file or archive file and accesses print or printer configuration options, the system deserializes untrusted data that can lead to arbitrary code execution with the privileges of the user running the Development System.

What this means

What could happen

An attacker could trick a CODESYS developer into opening a malicious project file, which would execute arbitrary code on the engineering workstation when print settings are accessed. This could compromise the integrity of control logic before deployment to industrial systems.

Who's at risk

CODESYS developers and engineering teams who use the Development System to create and modify control logic for industrial PLC, motion control, and safety systems. This affects any organization using CODESYS for programming industrial automation equipment, including manufacturers of embedded control systems and end users developing on-site applications.

How it could be exploited

An attacker crafts a malicious CODESYS project or archive file with embedded code in the print settings serialization. The attacker distributes this file to a CODESYS developer (via email, file share, or repository). When the developer opens the project file in CODESYS Development System and accesses print or printer configuration options, the malicious serialized data is deserialized and executed with the user's privileges.

Prerequisites

User must open a maliciously crafted CODESYS project file or archive
User must access the print or printer configuration options through the UI
CODESYS Development System must be an affected version (before 3.5.21.40)

Low attack complexityUser interaction required (opening file)High privileges context (user running engineering workstation)Affects development/engineering environment

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Development System <3.5.21.40<3.5.21.403.5.21.40

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDOnly open CODESYS project files and archives from trusted sources; verify files come from known team members or official repositories

HARDENINGEducate CODESYS developers not to open project files from untrusted sources, particularly those received via email or unexpected channels

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Development System to version 3.5.21.40 or later

CVEs (1)

CVE-2025-41700

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5b07d501-af1c-450b-ad4c-2e47e2feac8e