CODESYS Control V3 - Externally-controlled format string in Auditlog

The CODESYS Control runtime system's CmpAuditLog component allows potentially unauthenticated remote attackers to control the format string of processed log messages. Due to the internal processing logic, the impact is limited to a crash of the CODESYS Control runtime.

Exploitation of this vulnerability can lead to a denial-of-service (DoS) condition on affected PLCs, disrupting industrial control systems.

As a mitigation, the Audit Log feature can be disabled in the CODESYS Control runtime configuration file. When the Audit Log logger is not enabled, the affected functionality is no longer exposed and the vulnerability cannot be exploited.
To disable the Audit Log feature, use the following settings:
[CmpLog]
Logger.0.Name=.Audit.log
Logger.0.Enable=0

Update the following products to version 3.5.22.0.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS Runtime Toolkit

Update the following products to version 4.21.0.0. The release of this version is expected in Q2 2026.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL

The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.

CODESYS GmbH thanks the following parties for their efforts:

• CERT@VDE for coordination (see https://www.certvde.com )