OTPulse

CODESYS Control - Out-of-bounds Write

Plan PatchCVSS 7.5VDE-2026-057May 26, 2026
CODESYSPhoenix ContactWAGOBeckhoffManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The CmpWebServer component in CODESYS Control Runtime contains an out-of-bounds write vulnerability due to improper bounds checking. An unauthenticated remote attacker can send a specially crafted HTTP request to cause a denial of service by crashing the affected device. The vulnerability is only present when the web server is active with a running application that has Web Visualization enabled. Affected products include CODESYS Control RTE (3.5.21.x), Control Win, HMI, Runtime Toolkit (all versions before 3.5.22.20), and all Control variants for Linux/ARM platforms (BeagleBone, Raspberry Pi, WAGO, Phoenix Contact, Beckhoff CX) before version 4.21.0.0. Vendors have released patches addressing this issue.

What this means
What could happen
An unauthenticated attacker can send a malformed HTTP request to crash a CODESYS Control runtime system with an active web server, causing the controller to stop running and halting all associated industrial processes.
Who's at risk
Manufacturing operations using CODESYS Control runtime systems for machine and process automation. Specifically affects installations using Control RTE, Control Win, HMI, Runtime Toolkit on Windows/Beckhoff platforms, and all Linux/ARM variants (Raspberry Pi, BeagleBone, WAGO PLC, Phoenix Contact devices, Beckhoff CX). Any facility relying on web-based process visualization and remote monitoring is at risk of unplanned shutdowns.
How it could be exploited
An attacker on the network sends a crafted HTTP request to the CmpWebServer component (typically port 80 or 443). The request exploits insufficient bounds checking in the web server, triggering an out-of-bounds write that crashes the runtime. The web server must be actively running (requires a deployed application with Web Visualization enabled), but no credentials are needed.
Prerequisites
  • Network access to the CODESYS Control device on the HTTP/HTTPS port (typically 80 or 443)
  • Web server component (CmpWebServer) actively running with a deployed Web Visualization application
  • No authentication required
remotely exploitableno authentication requiredlow complexityaffects availability (denial of service)affects safety-critical operations if controller manages emergency stop or critical process logic
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (16)
16 with fix
ProductAffected VersionsFix Status
Control RTE (SL) 3.5.21.0 < 3.5.22.203.5.21.0< 3.5.22.203.5.22.20
Control RTE (for Beckhoff CX) SL 3.5.21.0 < 3.5.22.203.5.21.0< 3.5.22.203.5.22.20
Control Win (SL) 3.5.21.0 < 3.5.22.203.5.21.0< 3.5.22.203.5.22.20
HMI (SL) 3.5.21.0 < 3.5.22.203.5.21.0< 3.5.22.203.5.22.20
Runtime Toolkit 3.5.21.0 < 3.5.22.203.5.21.0< 3.5.22.203.5.22.20
Remediation & Mitigation
0/8
Do now
0/1
WORKAROUNDRestrict network access to CODESYS Control devices on HTTP/HTTPS ports (80, 443) to trusted engineering workstations and authorized monitoring networks only
Schedule — requires maintenance window
0/6

Patching may require device reboot — plan for process interruption

Control RTE (for Beckhoff CX) SL 3.5.21.0 < 3.5.22.20
HOTFIXUpdate CODESYS Control RTE (for Beckhoff CX) SL to version 3.5.22.20 or later
All products
HOTFIXUpdate CODESYS Control RTE (SL) to version 3.5.22.20 or later
HOTFIXUpdate CODESYS Control Win (SL) to version 3.5.22.20 or later
HOTFIXUpdate CODESYS HMI (SL) to version 3.5.22.20 or later
HOTFIXUpdate CODESYS Runtime Toolkit to version 3.5.22.20 or later
HOTFIXUpdate all CODESYS Control products for embedded platforms (BeagleBone, Linux, Raspberry Pi, PFC series, IOT2000, PLCnext, WAGO Touch Panels, Beckhoff CX) to version 4.21.0.0 or later
Long-term hardening
0/1
HARDENINGDisable Web Visualization if not actively used for monitoring or control
View full CERT@VDE advisory
API: /api/v1/advisories/524aa259-289b-45e1-9075-a4c01d970b32

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

CODESYS Control - Out-of-bounds Write | CVSS 7.5 - OTPulse