CODESYS, a leading software-based programmable logic controller (Soft PLC) platform, is facing critical security challenges due to multiple vulnerabilities, according to Nozomi Networks Labs. These vulnerabilities, when combined, can enable an attacker with authentication to substitute legitimate industrial control applications with malicious versions, gaining full administrative control of the targeted device.
Understanding the Impact of CODESYS Vulnerabilities
The widespread use of CODESYS in various industrial sectors—such as water treatment, energy, and automated manufacturing—amplifies the potential risks. Since PLCs directly manage physical processes, an exploited vulnerability could lead to production stoppages, equipment damage, or hazardous conditions.
The CODESYS Control runtime, responsible for managing real-time input/output and network communications in automated systems, is at the heart of these vulnerabilities. The newly identified security flaws affect file permissions and backup restoration processes.
Details of the Vulnerabilities
The vulnerabilities identified include CVE-2025-41658, which allows local users to read CODESYS password hashes due to incorrect default permissions, rated 5.5 (Medium). CVE-2025-41659, rated 8.3 (High), involves improper permissions that permit low-privilege users to access sensitive cryptographic data. Additionally, CVE-2025-41660, rated 8.8 (High), involves a flawed resource transfer process enabling the restoration of tampered boot applications.
To exploit these vulnerabilities, attackers first require valid Service-level credentials. This is typically prevented by standard security measures, but attackers can circumvent these through methods like default passwords, compromised engineering workstations, or by exploiting CVE-2025-41658 to extract password hashes.
Attack Workflow and Mitigation Strategies
The attack progresses through several stages: downloading the application using backup functionality, extracting cryptographic keys via CVE-2025-41659, and tampering with the binary to inject malicious code. The attacker then re-signs the tampered code and uses CVE-2025-41660 to upload it back, awaiting a system restart to execute with root privileges.
A compromised Soft PLC can drastically alter actuator behavior, modify safety setpoints, and override critical system controls. This attack method aligns with MITRE ATT&CK for ICS techniques like Manipulation of Control, Module Firmware modification, and Theft of Operational Information.
CODESYS Group has addressed these vulnerabilities in Control Runtime version 4.21.0.0 and Toolkit version 3.5.22.0. To enhance security, mandatory code signing has been implemented for all PLC code before deployment. Administrators are urged to apply these updates promptly, enforce strict network segmentation, and monitor network traffic for unusual activity.
Stay informed on the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Contact us to share your cybersecurity stories.
