CODESYS Installer - Possible Privilege Escalation

Plan PatchCVSS 7.3VDE-2026-012Mar 10, 2026

CODESYS

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

A race condition in the CODESYS Installer allows a local user with limited privileges to replace the verified downloaded setup file before the installer executes it. Because the update process runs with administrator rights, this enables execution of malicious code with elevated privileges. The vulnerability is triggered when a user confirms the self-update prompt for the CODESYS Installer or initiates installation of a CODESYS Development System. The CODESYS Add-Ons update process is not affected.

What this means

What could happen

A local user with limited privileges can trick the CODESYS Installer into running a malicious application with administrator rights by exploiting a race condition during self-update or Development System installation, potentially giving attackers full control of the engineering workstation.

Who's at risk

Engineering teams and automation contractors using CODESYS development environments on workstations. This affects anyone who develops control logic for industrial devices (PLCs, motion controllers, embedded systems) using the CODESYS IDE on a shared or multi-user engineering workstation where an untrusted local user might also have access.

How it could be exploited

An attacker with a local user account on the engineering workstation monitors the CODESYS Installer's update process. When a legitimate user confirms the self-update prompt or initiates a Development System installation, the attacker exploits a timing window (race condition) to replace the verified downloaded setup file with a malicious executable. The installer then runs this malicious code with administrator privileges.

Prerequisites

Local user account on the engineering workstation running CODESYS Installer
User must confirm the self-update prompt or initiate a Development System installation
Access to the same file system where the installer downloads setup files

race condition flawrequires local user accessuser interaction required (confirmation prompt)affects engineering workstationsallows privilege escalation to administrator

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Installer < 2.6.1.0< 2.6.1.02.6.1.0

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Installer to version 2.6.1.0 or later

CVEs (1)

CVE-2026-2364

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2bf5db30-f704-4fbc-8b88-f17c8bf83967

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.