CODESYS Control V3 - Untrusted boot application

Plan Patch8.8VDE-2026-011Mar 24, 2026

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The CODESYS Control runtime system includes user privilege groups (Administrators, Developers, Service) intended to restrict sensitive operations. The Service group is designed for maintenance and can replace boot applications. However, the CmpApp component does not validate the cryptographic signature of boot applications if signature enforcement is disabled. A Service-group user can therefore install and execute an arbitrary boot application on the controller, bypassing the normal application loading controls. This vulnerability affects multiple CODESYS Control runtime editions across various hardware platforms (RTE, Win, Linux, Raspberry Pi, WAGO, Beckhoff, etc.) in versions before 3.5.22.0 or 4.21.0.0 depending on the product line.

What this means

What could happen

A user with Service-level privileges (e.g., a maintenance technician) can install an unsigned boot application and execute arbitrary code on the PLC or controller, potentially altering process logic or disrupting normal plant operations.

Who's at risk

This affects manufacturers using CODESYS Control runtime on industrial controllers from CODESYS, Phoenix Contact, WAGO, and Beckhoff platforms—including edge devices like Raspberry Pi, WAGO PFC panels, and Beckhoff CX systems. Any facility running these controllers for process automation, manufacturing, or plant operations should assess their user privilege configuration.

How it could be exploited

An attacker with Service-group credentials or access to the device can load an unsigned boot application onto the CODESYS Control runtime through the file transfer mechanism. If application signing is not enforced, the runtime will execute the attacker's code instead of the legitimate application, giving the attacker full control over the controller's behavior.

Prerequisites

Service-level user credentials or equivalent account with modify permissions on boot application files
Network or physical access to upload files to the device
Application signing enforcement (SECURITY.EnforceSignedCode) must be disabled in the runtime configuration

remotely exploitablelow complexityrequires low privilege level (Service group)affects runtime control logic

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

Control RTE (SL) < 3.5.22.0< 3.5.22.03.5.22.0

Control RTE (for Beckhoff CX) SL < 3.5.22.0< 3.5.22.03.5.22.0

Control Win (SL) < 3.5.22.0< 3.5.22.03.5.22.0

HMI (SL) < 3.5.22.0< 3.5.22.03.5.22.0

Runtime Toolkit < 3.5.22.0< 3.5.22.03.5.22.0

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDEnable signed application enforcement by setting SECURITY.EnforceSignedCode=YES in the [CmpApp] section of CODESYSControl.cfg or via Device Security Settings in CODESYS Development System

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Control RTE (for Beckhoff CX) SL < 3.5.22.0

HOTFIXUpdate CODESYS Control RTE (SL), Control RTE (for Beckhoff CX) SL, Control Win (SL), HMI (SL), and Runtime Toolkit to version 3.5.22.0 or later

All products

HOTFIXUpdate CODESYS Control products for BeagleBone, emPC-A/iMX6, IOT2000, Linux ARM, Linux, PFC100, PFC200, PLCnext, Raspberry Pi, WAGO Touch Panels 600, and Virtual Control to version 4.21.0.0 or later

Long-term hardening

0/2

HARDENINGReview and restrict Service group permissions by removing or limiting modify access to boot application files

HARDENINGRemove all users from the Service group or delete the group entirely if maintenance operations requiring Service privileges are not necessary

CVEs (1)

CVE-2025-41660

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3453b62d-e0d6-45cd-b31f-1e08a8446031