CODESYS Control V3 - Externally-controlled format string in Auditlog
Plan PatchCVSS 7.5VDE-2026-018Mar 24, 2026
CODESYSPhoenix ContactWAGOBeckhoffManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A format string vulnerability in CODESYS Control's CmpAuditLog component allows unauthenticated remote attackers to crash the runtime. The vulnerability is triggered when malicious format strings are sent to the Audit Log system, which processes them without proper validation. The impact is limited to a denial of service (runtime crash). Multiple CODESYS product variants are affected, including Control RTE for standard and Beckhoff platforms, Control Win, Runtime Toolkit, and embedded variants for BeagleBone, Linux, PLCnext, WAGO, and other industrial platforms.
What this means
What could happen
An attacker can crash the CODESYS Control runtime by sending specially crafted log messages to the Audit Log component, potentially disrupting manufacturing processes that depend on continuous controller operation.
Who's at risk
Manufacturing facilities using CODESYS Control runtime environments are affected, particularly those running embedded controllers (WAGO, Beckhoff, or Linux-based platforms), Windows-based engineering stations, and custom industrial automation systems built on the CODESYS platform. This includes any facility using CODESYS-based PLCs, RTUs, or industrial HMIs for process control.
How it could be exploited
An attacker sends malicious format strings to the CODESYS runtime's Audit Log component over the network without authentication. The runtime processes these strings in the log message handler, causing a crash. The attack vector is network-accessible, likely through the runtime's logging or communication interface.
Prerequisites
- Network access to the CODESYS Control runtime (typically port 11740 or runtime-configured port)
- Audit Log feature must be enabled in the runtime (default configuration)
- No authentication required
Remotely exploitableNo authentication requiredLow complexityCauses denial of serviceAffects multiple industrial control platforms
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (15)
15 with fix
ProductAffected VersionsFix Status
Control RTE (SL) 3.5.17.0 < 3.5.22.03.5.17.0< 3.5.22.03.5.22.0
Control RTE (for Beckhoff CX) SL 3.5.17.0 < 3.5.22.03.5.17.0< 3.5.22.03.5.22.0
Control Win (SL) 3.5.17.0 < 3.5.22.03.5.17.0< 3.5.22.03.5.22.0
Runtime Toolkit 3.5.17.0 < 3.5.22.03.5.17.0< 3.5.22.03.5.22.0
Control for BeagleBone SL 4.1.0.0 < 4.21.0.04.1.0.0< 4.21.0.04.21.0.0
Control for emPC-A/iMX6 SL 4.1.0.0 < 4.21.0.04.1.0.0< 4.21.0.04.21.0.0
Control for IOT2000 SL 4.1.0.0 < 4.21.0.04.1.0.0< 4.21.0.04.21.0.0
Control for Linux ARM SL 4.1.0.0 < 4.21.0.04.1.0.0< 4.21.0.04.21.0.0
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDDisable the Audit Log feature by setting Logger.0.Enable=0 in the [CmpLog] section of the CODESYS Control runtime configuration file as an immediate workaround
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
Control RTE (for Beckhoff CX) SL 3.5.17.0 < 3.5.22.0
HOTFIXUpdate CODESYS Control RTE (for Beckhoff CX) SL to version 3.5.22.0 or later
All products
HOTFIXUpdate CODESYS Control RTE (SL) to version 3.5.22.0 or later
HOTFIXUpdate CODESYS Control Win (SL) to version 3.5.22.0 or later
HOTFIXUpdate CODESYS Runtime Toolkit to version 3.5.22.0 or later
HOTFIXUpdate all CODESYS Control products for embedded platforms (BeagleBone, emPC-A/iMX6, IOT2000, Linux ARM, Linux, PFC100, PFC200, PLCnext, Raspberry Pi, WAGO Touch Panels 600, Virtual Control) to version 4.21.0.0 or later
Long-term hardening
0/1HARDENINGRestrict network access to the CODESYS runtime port to only authorized engineering workstations and management networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8f317b2b-a6ef-4942-8908-15c600fdc936Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.