CVE-2025-41660 - Vulnerability Details

- CODESYS Control Boot Application Replacement Enables Code Execution

Description

A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.

Published: 2026-03-24

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A low‑privileged remote attacker may replace the boot application of the CODESYS Control runtime system. This replacement allows the attacker to run arbitrary code when the device boots, effectively granting full control over the system. The weakness involves unauthorized modification of a critical component (CWE‑669).

Affected Systems

The vulnerability affects multiple CODESYS Control products, including CODESYS Control RTE for standard Linux (SL) and Beckhoff CX, CODESYS Control Win (SL), CODESYS Control for BeagleBone, IOT2000, Linux ARM, generic Linux, PFC100, PFC200, PLCnext, Raspberry Pi, WAGO Touch Panels 600, emPC‑A/iMX6, as well as the CODESYS HMI, Runtime Toolkit, and Virtual Control SL editions.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, and although EPSS data is not available, the vulnerability is exploitable by an attacker with low privileges. The attack vector is likely remote, inferred from the description that a remote attacker can replace the boot application. The vulnerability is not yet listed in the CISA KEV catalog, but its high impact and remote nature warrant immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CODESYS

CODESYS Control RTE (SL)

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 3.5.22.0

CODESYS

CODESYS Control RTE (for Beckhoff CX) SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 3.5.22.0

CODESYS

CODESYS Control Win (SL)

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 3.5.22.0

CODESYS

CODESYS HMI (SL)

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 3.5.22.0

CODESYS

CODESYS Runtime Toolkit

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 3.5.22.0

CODESYS

CODESYS Control for BeagleBone SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

CODESYS

CODESYS Control for emPC-A/iMX6 SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

CODESYS

CODESYS Control for IOT2000 SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

CODESYS

CODESYS Control for Linux ARM SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

CODESYS

CODESYS Control for Linux SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

CODESYS

CODESYS Control for PFC100 SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

CODESYS

CODESYS Control for PFC200 SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

CODESYS

CODESYS Control for PLCnext SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

CODESYS

CODESYS Control for Raspberry Pi SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

CODESYS

CODESYS Control for WAGO Touch Panels 600 SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

CODESYS

CODESYS Virtual Control SL

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 4.21.0.0

No data.

Vendor Product Confidence Versions

Codesys

Codesys Hmi (sl)

100%

Version	Status	Scheme	Platform
`[0.0.0,3.5.22.0)`	affected	semver	—

Codesys

Control For Beaglebone Sl

89%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Codesys

Control For Empc-a/imx6 Sl

89%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Codesys

Control For Iot2000 Sl

88%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Codesys

Control For Linux Arm Sl

89%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Codesys

Control For Linux Sl

88%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Codesys

Control For Pfc100 Sl

88%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Codesys

Control For Pfc200 Sl

88%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Codesys

Control For Plcnext Sl

88%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Codesys

Control For Raspberry Pi Sl

90%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Codesys

Control For Wago Touch Panels 600 Sl

92%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Codesys

Control Rte (sl)

85%

Version	Status	Scheme	Platform
`[0.0.0,3.5.22.0)`	affected	semver	—

Codesys

Control Rte \(for Beckhoff Cx\) Sl

89%

Version	Status	Scheme	Platform
`[0.0.0,3.5.22.0)`	affected	semver	—

Codesys

Control Win (sl)

85%

Version	Status	Scheme	Platform
`[0.0.0,3.5.22.0)`	affected	semver	—

Codesys

Runtime Toolkit

85%

Version	Status	Scheme	Platform
`[0.0.0,3.5.22.0)`	affected	semver	—

Codesys

Virtual Control Sl

87%

Version	Status	Scheme	Platform
`[0.0.0,4.21.0.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Obtain and apply the latest vendor patch or upgrade that removes the vulnerability.
Restrict remote access to the CODESYS Control runtime by limiting connections to trusted networks or applying firewall rules.
Disable or lock the boot application directory or files to prevent unauthorized modification.
Enforce strict role‑based access controls so that only privileged users can modify boot configuration files.
Monitor system logs for any abnormal attempts to change boot application files.
If a patch is not yet available, consider isolating the device from untrusted networks and restricting physical access.

Generated by OpenCVE AI on March 24, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00233.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://certvde.com/de/advisories/VDE-2026-011

History

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Codesys Codesys codesys Hmi (sl) Codesys control For Beaglebone Sl Codesys control For Empc-a/imx6 Sl Codesys control For Iot2000 Sl Codesys control For Linux Arm Sl Codesys control For Linux Sl Codesys control For Pfc100 Sl Codesys control For Pfc200 Sl Codesys control For Plcnext Sl Codesys control For Raspberry Pi Sl Codesys control For Wago Touch Panels 600 Sl Codesys control Rte (sl) Codesys control Rte \(for Beckhoff Cx\) Sl Codesys control Win (sl) Codesys runtime Toolkit Codesys virtual Control Sl
Vendors & Products		Codesys Codesys codesys Hmi (sl) Codesys control For Beaglebone Sl Codesys control For Empc-a/imx6 Sl Codesys control For Iot2000 Sl Codesys control For Linux Arm Sl Codesys control For Linux Sl Codesys control For Pfc100 Sl Codesys control For Pfc200 Sl Codesys control For Plcnext Sl Codesys control For Raspberry Pi Sl Codesys control For Wago Touch Panels 600 Sl Codesys control Rte (sl) Codesys control Rte \(for Beckhoff Cx\) Sl Codesys control Win (sl) Codesys runtime Toolkit Codesys virtual Control Sl

Tue, 24 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 08:00:00 +0000

Type	Values Removed	Values Added
Description		A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.
Title		CODESYS Control Boot Application Replacement Enables Code Execution
Weaknesses		CWE-669
References		https://certvde.com/de/advisories/VDE-2026-011
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Codesys Codesys Hmi (sl) Control For Beaglebone Sl Control For Empc-a/imx6 Sl Control For Iot2000 Sl Control For Linux Arm Sl Control For Linux Sl Control For Pfc100 Sl Control For Pfc200 Sl Control For Plcnext Sl Control For Raspberry Pi Sl Control For Wago Touch Panels 600 Sl Control Rte (sl) Control Rte \(for Beckhoff Cx\) Sl Control Win (sl) Runtime Toolkit Virtual Control Sl

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2026-03-24T07:41:43.004Z

Updated: 2026-03-24T13:16:02.920Z

Reserved: 2025-04-16T11:17:48.307Z

Link: CVE-2025-41660

Vulnrichment

Updated: 2026-03-24T13:15:57.857Z

NVD

Status : Awaiting Analysis

Published: 2026-03-24T08:16:00.230

Modified: 2026-03-24T15:53:48.067

Link: CVE-2025-41660

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:39:48Z

Weaknesses

CWE-669

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object