OTPulse

CODESYS Development System - Deserialization of Untrusted Data

Plan PatchCVSS 7.8VDE-2025-101Dec 1, 2025
CODESYS
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A vulnerability in the CODESYS Development System print engine allows arbitrary code execution when a user opens a specially crafted project file or archive and accesses print or printer configuration options. The vulnerability exists in deserialization of untrusted data within the print engine. Affected versions are prior to 3.5.21.40. Code execution occurs in the context of the user opening the file.

What this means
What could happen
An attacker could trick an engineer into opening a malicious CODESYS project file, leading to execution of arbitrary code on the development workstation with the engineer's privileges. This could compromise the integrity of control logic before it is deployed to production systems.
Who's at risk
This affects organizations using CODESYS Development System for PLC and industrial control system programming. Primary risk is to control system engineers and development teams who create or modify automation logic. Compromised development workstations could introduce malicious code into deployed control systems affecting water treatment, electric distribution, manufacturing, and other critical infrastructure.
How it could be exploited
An attacker crafts a malicious CODESYS project file (.project, .package, or archive file) containing malicious serialized data in the print engine settings. When an engineer opens the file and accesses the print or printer configuration options (or attempts to print), the development system deserializes the untrusted data, triggering arbitrary code execution.
Prerequisites
  • User must open a malicious CODESYS project file from an untrusted source
  • User must access print/printer configuration options or attempt to print the project
  • CODESYS Development System version before 3.5.21.40 must be installed
low complexity attackuser interaction required (opening file)affects development/engineering environmentcould enable supply chain compromise of control logic
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
Development System <3.5.21.40<3.5.21.403.5.21.40
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGEstablish a policy to open CODESYS project files and archives only from verified, trustworthy sources
HARDENINGEducate engineering staff on the risk of opening project files from untrusted external sources, similar to phishing awareness
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Development System to version 3.5.21.40 or later
View full CERT@VDE advisory
API: /api/v1/advisories/5b07d501-af1c-450b-ad4c-2e47e2feac8e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

CODESYS Development System - Deserialization of Untrusted Data | CVSS 7.8 - OTPulse