CODESYS Development System - Incorrect Default Permissions

Plan PatchCVSS 7.8VDE-2026-055May 26, 2026

CODESYS

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Two local privilege escalation vulnerabilities exist in the CODESYS Development System. The PackageManager and IPM create temporary directories with insecure default permissions when run with administrative privileges. A low-privileged local user can exploit this to modify temporary bootstrap files or replace digitally verified installation files with malicious ones (TOCTOU race condition), forcing deployment of arbitrary components and bypassing intended security boundaries.

What this means

What could happen

A low-privileged local user could exploit insecure temporary file permissions to inject malicious code during the installation of packages or add-ons in the CODESYS Development System, potentially compromising PLC programming workflows and control system integrity.

Who's at risk

Engineering teams and OT staff using CODESYS for PLC and industrial controller programming. This primarily affects development and testing environments where CODESYS is installed, but compromised add-ons could propagate malicious code to deployed control systems.

How it could be exploited

An attacker with a local account on the development machine would monitor or predict the temporary directory created when an admin user runs the PackageManager or IPM installer, then modify the bootstrap file or replace installation files before they are verified and deployed. This bypasses the intended security checks and installs arbitrary components.

Prerequisites

Local user account on the development workstation
PackageManager or IPM installer running with administrative privileges by another user
Write access to temporary directory or installation path

local privilege escalationbypasses security verification during installationaffects development-to-production supply chain

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Development System < 3.5.22.20< 3.5.22.203.5.22.20

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict local account access on development workstations to only authorized engineers

WORKAROUNDDisable automatic package installation or add-on updates; require explicit admin approval and manual installation during controlled maintenance windows

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CODESYS Development System to version 3.5.22.20 or later

CVEs (2)

CVE-2026-44468 CVE-2026-44469

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a278bff3-4fab-4d09-9f40-33ebfc3972a7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.