The vulnerability allows an attacker to inject arbitrary format specifiers into audit log messages processed by the CODESYS Control runtime system. By sending a carefully crafted log entry, an unauthenticated remote user can cause the audit logger to crash or consume excessive resources, resulting in a denial‑of‑service condition. This is a classic format string weakness, identified as CWE-134.

The affected software is the CODESYS Control runtime platform, including CODESYS Control RTE (SL), CODESYS Control RTE (for Beckhoff CX) SL, CODESYS Control Win (SL), CODESYS Control for BeagleBone SL, CODESYS Control for IOT2000 SL, CODESYS Control for Linux ARM SL, CODESYS Control for Linux SL, CODESYS Control for PFC100 SL, CODESYS Control for PFC200 SL, CODESYS Control for PLCnext SL, CODESYS Control for Raspberry Pi SL, CODESYS Control for WAGO Touch Panels 600 SL, CODESYS Control for emPC‑A/iMX6 SL, CODESYS Runtime Toolkit, and CODESYS Virtual Control SL. No specific version information was supplied, so all releases of these products are potentially impacted.

The CVSS score of 7.5 indicates moderate‑to‑high severity. Although the EPSS score is not available, the lack of inclusion in the CISA KEV catalog suggests no known active exploitation, but the remote nature of the attack and the ease of triggering a crash mean that the risk remains significant. An attacker can exploit this vulnerability from any networked device that can reach the audit logger interface, without requiring authentication or privileges.