Summary
The vulnerability CVE-2025-41726 (NN-2025-0074) allows an authenticated remote user to execute arbitrary commands on the device. This can be exploited over the web UI or via API. In one case the execution of the arbitrary command happens within a privileged process.
The vulnerability CVE-2025-41727 (NN-2025-0075) allows a local user with low privileges on the device to bypass the authentication mechanism of the UI and send commands to a privileged process which it executes on behalf of that user but with higher privileges. This way the local user can escalate privileges.
The vulnerability CVE-2025-41728 (NN-2025-0076) allows an authenticated remote user to cause an out-of-bounds read operation within a specific service process which runs on the device. The read operation might copy sensitive information from the memory of the specific service into a response message which is then provided to the user but the user cannot choose which information is disclosed.
Impact
CVE-2025-41726: On a Beckhoff IPC or CX device an authenticated user can execute arbitrary code by sending specially crafted calls to the web service of the Beckhoff Device Manager or locally via an API and can cause integer overflows which then can lead to arbitrary code execution within privileged processes.
CVE-2025-41727: On a Beckhoff IPC or CX device a local user can bypass the authentication of the Beckhoff Device Manager user interface, allowing them to perform privileged operations and gain administrator access.
CVE-2025-41728: On a Beckhoff IPC or CX device, an authenticated user may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Beckhoff Device Manager web service that cause an out-of-bounds read operation and thereby potentially copy confidential information into a response.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Beckhoff.Device.Manager.XAR tcpkg package <2.5.3 | Beckhoff.Device.Manager.XAR tcpkg package <2.5.3 | |
| MDP software package for TwinCAT/BSD <1.7.0.0 | MDP software package for TwinCAT/BSD <1.7.0.0 | |
| mdp-bhf software package Beckhoff RT Linux(R) <0.0.5-1 | mdp-bhf software package Beckhoff RT Linux(R) <0.0.5-1 |
Vulnerabilities
Expand / Collapse allRemediation
Please update to a recent version of the affected components (see below) or update the complete operating system image. Operating system images are available on request from Beckhoff's service (service@beckhoff.com). The setup / installer for Windows 10 and 11 are available on request from Beckhoff's service also.
| Product | Fixed Version |
|---|---|
| Beckhoff.Device.Manager.XAR tcpkg package | 2.5.3 |
| Beckhoff IPC Diagnostics software for Windows | 2.5.3 |
| MDP.dll library library for Windows CE 6.0 and Embedded Compact 7 on x86 | 1.7.0.0 |
| MDP software package for TwinCAT/BSD | 1.7.0.0 |
| mdp-bhf software package Beckhoff RT Linux(R) | 0.0.5-1 |
| MDP.dll library library for Windows CE 6.0 and Embedded Compact 7 on ARM32 | 1.7.0.0 |
Acknowledgments
Beckhoff Automation GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
- Diego Giubertoni from Nozomi Networks for Reported by (see https://www.nozominetworks.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 20.01.2026 11:00 | Initial revision |
| 1.0.1 | 27.01.2026 12:00 | fixed date |