CODESYS Control - Incorrect Authorization
Plan PatchCVSS 8.1VDE-2026-056May 26, 2026
CODESYSPhoenix ContactWAGOBeckhoffManufacturing
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A flaw in CODESYS Control runtime's user management authorization allows an authenticated remote user with low-privileged visualization administrator access to delete higher-privileged user accounts. This affects multiple CODESYS runtime platforms when the optional visualization user management feature is enabled and a visualization administrator account is configured. The vulnerability is limited by protective mechanisms that prevent deletion of the last remaining device admin user.
What this means
What could happen
An authenticated visualization administrator could delete higher-privileged user accounts, potentially locking legitimate administrators out of the PLC or control system. However, built-in safeguards prevent deletion of the last device admin, limiting complete loss of access.
Who's at risk
Operators of CODESYS-based control systems in manufacturing environments should prioritize this issue if they use the optional visualization user management feature. Affected hardware includes Beckhoff CX controllers, WAGO PLCs and touch panels, Phoenix Contact industrial PCs, edge controllers, and Linux-based runtime platforms. Windows and embedded Linux control systems running CODESYS are also at risk.
How it could be exploited
An attacker with a low-privileged visualization administrator account logs into the CODESYS runtime via the network. They exploit insufficient authorization checks to delete higher-privileged user accounts (such as device administrators), disrupting normal operational access.
Prerequisites
- Network access to the CODESYS runtime interface (typically port 11740)
- Valid visualization administrator credentials
- Visualization user management feature must be enabled on the device
- At least one higher-privileged user account must exist to delete
Remotely exploitableRequires valid low-privileged credentialsLow attack complexityPrivilege escalation via user account deletionAffects user access management in industrial automation
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (16)
16 with fix
ProductAffected VersionsFix Status
Control RTE (SL) < 3.5.22.20< 3.5.22.203.5.22.20
Control RTE (for Beckhoff CX) SL < 3.5.22.20< 3.5.22.203.5.22.20
Control Win (SL) < 3.5.22.20< 3.5.22.203.5.22.20
HMI (SL) < 3.5.22.20< 3.5.22.203.5.22.20
Runtime Toolkit < 3.5.22.20< 3.5.22.203.5.22.20
Remediation & Mitigation
0/7
Do now
0/1HARDENINGIf visualization user management is not required, disable the optional visualization user management feature to prevent exploitation
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
Control RTE (for Beckhoff CX) SL < 3.5.22.20
HOTFIXUpdate CODESYS Control RTE (for Beckhoff CX) SL to version 3.5.22.20 or later
All products
HOTFIXUpdate CODESYS Control RTE (SL) to version 3.5.22.20 or later
HOTFIXUpdate CODESYS Control Win (SL) to version 3.5.22.20 or later
HOTFIXUpdate CODESYS HMI (SL) to version 3.5.22.20 or later
HOTFIXUpdate CODESYS Runtime Toolkit to version 3.5.22.20 or later
HOTFIXUpdate CODESYS Control for BeagleBone SL, emPC-A/iMX6 SL, IOT2000 SL, Linux ARM SL, Linux SL, PFC100 SL, PFC200 SL, PLCnext SL, Raspberry Pi SL, WAGO Touch Panels 600 SL, and Virtual Control SL to version 4.21.0.0 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3d610c8b-723b-4b3a-96b8-3217b4060088Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.