CODESYS EtherNetIP - Improper timeout handling

Plan PatchCVSS 7.5VDE-2026-040Apr 23, 2026

CODESYS

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CODESYS EtherNet/IP protocol stack contains a flaw in timeout handling for active TCP connections. Under non-standard operating conditions, the adapter fails to release expired connections, exhausting the available connection pool. Once all connections are consumed, no new TCP connections can be established, preventing communication between the adapter and remote EtherNet/IP devices. Existing active connections remain functional. This affects only CODESYS projects configured with an EtherNet/IP adapter.

What this means

What could happen

An attacker can exhaust available TCP connections in EtherNet/IP adapters by sending malformed traffic, preventing new legitimate connections and causing denial of service to the industrial control system. Existing connections remain operational, but the inability to establish new connections can disrupt communication with field devices and process interruptions.

Who's at risk

Organizations using CODESYS for industrial automation should care, particularly those running EtherNet/IP adapters in manufacturing plants, water treatment facilities, power distribution systems, and other critical infrastructure. This affects any system where CODESYS Control runtime executes EtherNet/IP adapter applications for device communication.

How it could be exploited

An attacker with network access to the EtherNet/IP adapter can send specially crafted traffic that causes TCP connections to not be properly released when they expire. Once all available connection slots are consumed, legitimate EtherNet/IP devices cannot connect, blocking industrial communication.

Prerequisites

Network reachability to the EtherNet/IP adapter port (typically TCP 2222 or 44818)
EtherNet/IP adapter configured in the CODESYS project
Ability to send TCP traffic to trigger non-standard operating conditions that prevent timeout handling

remotely exploitableno authentication requiredlow complexityaffects availability (denial of service)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

EtherNetIP < 4.9.0.0< 4.9.0.04.9.0.0

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to EtherNet/IP adapter ports (TCP 2222, 44818) to only trusted engineering workstations and authorized field devices using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS EtherNetIP add-on to version 4.9.0.0 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate CODESYS runtime systems running EtherNet/IP adapters from untrusted network segments

CVEs (1)

CVE-2026-35225

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fee599c0-08e0-4b54-afba-74960f6a8b3b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.