CODESYS Control V3 - Externally-controlled format string in Auditlog
Plan Patch7.5VDE-2026-018Mar 24, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The CmpAuditLog component in CODESYS Control runtime allows unauthenticated remote attackers to control the format string of processed log messages. The vulnerability can cause the CODESYS Control runtime process to crash.
What this means
What could happen
An attacker can crash the CODESYS Control runtime from the network, interrupting PLC operation and stopping whatever process the controller manages (manufacturing equipment, production lines, etc.).
Who's at risk
Manufacturing facilities and process automation operators running CODESYS Control runtime environments on any of the supported platforms (Beckhoff CX controllers, Linux-based controllers, WAGO PFC/Touch Panel devices, Raspberry Pi, BeagleBone, PLCnext, etc.) should evaluate this vulnerability. Any plant using these controllers for critical production processes is at risk of unplanned downtime.
How it could be exploited
An attacker with network access to the CODESYS Control device can send a crafted message to the Audit Log component that contains a format string. The vulnerable CmpAuditLog processes this input without validation and the format string is interpreted during log message processing, causing a denial of service by crashing the runtime.
Prerequisites
- Network access to the CODESYS Control device on the port it listens on (typically TCP/IP communications)
- Audit Log feature enabled in the runtime configuration
Remotely exploitableNo authentication requiredLow complexityAffects manufacturing control systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (15)
15 with fix
ProductAffected VersionsFix Status
Control RTE (SL) 3.5.17.0 < 3.5.22.03.5.17.0< 3.5.22.03.5.22.0
Control RTE (for Beckhoff CX) SL 3.5.17.0 < 3.5.22.03.5.17.0< 3.5.22.03.5.22.0
Control Win (SL) 3.5.17.0 < 3.5.22.03.5.17.0< 3.5.22.03.5.22.0
Runtime Toolkit 3.5.17.0 < 3.5.22.03.5.17.0< 3.5.22.03.5.22.0
Control for BeagleBone SL 4.1.0.0 < 4.21.0.04.1.0.0< 4.21.0.04.21.0.0
Control for emPC-A/iMX6 SL 4.1.0.0 < 4.21.0.04.1.0.0< 4.21.0.04.21.0.0
Control for IOT2000 SL 4.1.0.0 < 4.21.0.04.1.0.0< 4.21.0.04.21.0.0
Control for Linux ARM SL 4.1.0.0 < 4.21.0.04.1.0.0< 4.21.0.04.21.0.0
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDDisable the Audit Log feature in the runtime configuration by setting Logger.0.Enable=0 in the [CmpLog] section of the configuration file if immediate patch deployment is not possible
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
Control RTE (for Beckhoff CX) SL 3.5.17.0 < 3.5.22.0
HOTFIXUpdate CODESYS Control RTE (for Beckhoff CX) SL to version 3.5.22.0 or later
All products
HOTFIXUpdate CODESYS Control RTE (SL) to version 3.5.22.0 or later
HOTFIXUpdate CODESYS Control Win (SL) to version 3.5.22.0 or later
HOTFIXUpdate CODESYS Runtime Toolkit to version 3.5.22.0 or later
HOTFIXUpdate all CODESYS Control variants for Beckhoff, Linux, ARM, WAGO, Raspberry Pi, and other platforms to version 4.21.0.0 or later
Long-term hardening
0/1HARDENINGRestrict network access to CODESYS Control devices to only trusted engineering and management networks using firewall rules
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8f317b2b-a6ef-4942-8908-15c600fdc936