CODESYS Visualization - Insufficiently Protected Credentials

MonitorCVSS 5.7VDE-2026-052May 21, 2026

CODESYS

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

A vulnerability in CODESYS Visualization versions prior to 4.10.0.0 allows authenticated users to obtain credentials entered by other users during concurrent login operations. The issue occurs in the login dialog when multiple users perform simultaneous login attempts within an active visualization session, affecting both local and remote access scenarios. The vulnerability is classified as insufficient protection of authentication credentials (CWE-522).

What this means

What could happen

An authenticated user of a CODESYS Visualization can steal login credentials entered by another user during concurrent login attempts, potentially gaining unauthorized access to the HMI or supervisory control functions.

Who's at risk

HMI operators and administrators managing CODESYS-based industrial visualization systems, particularly in water treatment, power distribution, and manufacturing facilities that rely on CODESYS for supervisory control and visualization of PLCs and remote terminal units (RTUs).

How it could be exploited

An attacker with valid access to an active CODESYS Visualization session can trigger a concurrent login by another user (local or remote access). The vulnerability leaks authentication data between concurrent login operations, allowing the attacker to capture credentials without triggering alerts or additional authentication checks.

Prerequisites

Valid authentication credentials to access an active CODESYS Visualization session
Ability to observe or trigger concurrent login operations (local or remote network access to the visualization)
CODESYS Visualization version prior to 4.10.0.0 deployed on the HMI or PLC

Remotely exploitable (remote access to visualization)Requires valid authentication credentialsAffects user authentication and credential handlingImpacts multi-user HMI environments

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Visualization < 4.10.0.0< 4.10.0.04.10.0.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDAvoid using the 'User Management -> Login' Input Action for changing users within an active visualization session. Instead, use 'User Management -> Logout' followed by a fresh 'Login' to re-authenticate

WORKAROUNDDisable property handling in visualizations if not required for application functionality by unchecking 'Activate property handling in all element properties' in Project Settings -> Visualization -> General -> Advanced

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Visualization to version 4.10.0.0 or later

HOTFIXRecompile all affected CODESYS projects containing visualizations and download the updated application to the HMI or PLC

CVEs (1)

CVE-2026-0393

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/299731a9-3448-447d-b90f-01422af3982c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.