OTPulse

CODESYS Modbus TCP Server - Improper resource management

MonitorCVSS 5.9VDE-2026-042May 12, 2026
CODESYS
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A resource management flaw in the CODESYS Modbus TCP Server protocol stack causes a vulnerability when race conditions are triggered during connection handling. The vulnerability can gradually exhaust the maximum number of configured connections, eventually preventing new connections from being accepted. This only affects CODESYS projects that include a Modbus TCP server configuration. Existing connections remain unaffected and continue to operate normally.

What this means
What could happen
A race condition in the Modbus TCP server can gradually exhaust available connections, eventually preventing new devices from communicating with the PLC until the server is restarted. Existing connections remain functional, but the control system becomes unable to accept new client connections.
Who's at risk
This affects any water authority or electric utility operating CODESYS-based PLCs or RTUs with Modbus TCP server configurations, particularly those using them for remote I/O communication, meter interfaces, or legacy device integration. Critical if Modbus TCP is used for primary control or monitoring paths.
How it could be exploited
An attacker with network access to the Modbus TCP server port repeatedly opens and closes connections, exploiting a race condition in the connection handling logic. By triggering the race condition consistently, they exhaust the configured connection limit, causing subsequent legitimate connection attempts to be rejected.
Prerequisites
  • Network access to the Modbus TCP server port (typically 502)
  • CODESYS project with Modbus TCP server configuration deployed
  • Multiple connection attempts needed to trigger race condition
remotely exploitablelow complexity attack (race condition)affects systems with Modbus TCP server enabled
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
Modbus < 4.6.0.0< 4.6.0.04.6.0.0
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict Modbus TCP port access to only authorized engineering workstations and SCADA systems using firewall rules
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Modbus add-on to version 4.6.0.0 or later
HOTFIXUpdate the Modbus TCP Server component in the CODESYS device tree to the latest version
HOTFIXDownload the updated CODESYS application to the PLC to activate the fix
View full CERT@VDE advisory
API: /api/v1/advisories/57d8623d-ea89-4039-9189-2192f0502d59

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

CODESYS Modbus TCP Server - Improper resource management | CVSS 5.9 - OTPulse