CODESYS Control V3 - Untrusted boot application
Plan PatchCVSS 8.8VDE-2026-011Mar 24, 2026
CODESYSPhoenix ContactWAGOBeckhoffManufacturing
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
The CODESYS Control runtime system allows users in the restricted Service group to replace the boot application without requiring cryptographic validation if application signing is not enforced. This permission is intended for maintenance operations but can be abused by an attacker with Service-level credentials to install an arbitrary boot application and gain full control of the controller. When application signing is disabled (the default), users in the Service group or any group with "Add/Remove" or "Modify" permissions on boot application files can upload and execute malicious code on the device.
What this means
What could happen
An attacker with Service-level user credentials can install a malicious boot application on the controller, allowing them to execute arbitrary code and take full control of the PLC or industrial device, disrupting normal operations.
Who's at risk
This vulnerability affects manufacturers and utilities running CODESYS Control runtime systems, including those deployed on Beckhoff CX controllers, WAGO PLCs, Phoenix Contact industrial devices, and Raspberry Pi or Linux-based industrial controllers. Any organization using CODESYS for PLC programming or industrial automation should assess their exposure, particularly if Service-level user accounts are active or if application signing is not enforced.
How it could be exploited
An attacker with valid Service-group credentials logs into the CODESYS Control runtime system and uploads a crafted boot application via the application management interface. If application signing is not enforced (the default), the runtime accepts and executes the malicious boot application, giving the attacker full control over the controller.
Prerequisites
- Valid Service-level or equivalent user credentials for the CODESYS Control system
- Network access to the CODESYS Control runtime system management interface
- Application signing not enforced (SECURITY.EnforceSignedCode set to NO or default)
- Ability to upload files to the boot application location
Remotely exploitable if controller is reachable from untrusted networksRequires valid Service-level credentials (low privilege but common in industrial deployments)Low attack complexityAffects PLCs and industrial controllers (native OT systems)Default configuration allows unsigned boot application uploadsNo patch available yet for most environments (workarounds required)
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (16)
16 with fix
ProductAffected VersionsFix Status
Control RTE (SL) < 3.5.22.0< 3.5.22.03.5.22.0
Control RTE (for Beckhoff CX) SL < 3.5.22.0< 3.5.22.03.5.22.0
Control Win (SL) < 3.5.22.0< 3.5.22.03.5.22.0
HMI (SL) < 3.5.22.0< 3.5.22.03.5.22.0
Runtime Toolkit < 3.5.22.0< 3.5.22.03.5.22.0
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDEnable application code signing enforcement by setting SECURITY.EnforceSignedCode=YES in the CODESYSControl.cfg configuration file or via the Device Security Settings dialog in the CODESYS Development System
HARDENINGRemove all users from the Service group, or delete the Service group entirely if maintenance functions can be performed by Administrators or Developers
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Control RTE (for Beckhoff CX) SL < 3.5.22.0
HOTFIXUpdate all affected CODESYS Control products to version 3.5.22.0 (RTE SL, RTE for Beckhoff CX, Control Win SL, HMI SL, Runtime Toolkit) or 4.21.0.0 (Control for BeagleBone, emPC-A/iMX6, IOT2000, Linux ARM, Linux, PFC100, PFC200, PLCnext, Raspberry Pi, WAGO Touch Panels 600, Virtual Control)
All products
HARDENINGVerify that new CODESYS installations use the default configuration that sets SECURITY.UnsignedApplicationFileTransfer=DENY to block unsigned boot application uploads
Long-term hardening
0/1HARDENINGRestrict Service group permissions by removing modify/add permissions on boot application files and related file system objects
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3453b62d-e0d6-45cd-b31f-1e08a8446031Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.