Summary
The CmpWebServer component in the CODESYS Control Runtime allows users to create browser-based visualizations for monitoring and controlling industrial processes.
Due to improper bounds checking, a specially crafted HTTP request from an unauthenticated remote attacker may lead to a size-limited out-of-bounds write, causing a denial of service of the affected device.
The CODESYS Control runtime system is only affected if the web server is active, which by default requires a running application with an enabled Web Visualization.
Impact
Successful exploitation allows an unauthenticated remote attacker to trigger an out-of-bounds write, causing the CODESYS Control Runtime to crash and resulting in a denial of service on the affected device.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| CODESYS Control RTE (SL) | vers:generic/3.5.21.0<3.5.22.20 | |
| CODESYS Control RTE (for Beckhoff CX) SL | vers:generic/3.5.21.0<3.5.22.20 | |
| CODESYS Control Win (SL) | vers:generic/3.5.21.0<3.5.22.20 | |
| CODESYS Control for BeagleBone SL | vers:generic/4.15.0.0<4.21.0.0 | |
| CODESYS Control for IOT2000 SL | vers:generic/4.15.0.0<4.21.0.0 | |
| CODESYS Control for Linux ARM SL | vers:generic/4.15.0.0<4.21.0.0 | |
| CODESYS Control for Linux SL | vers:generic/4.15.0.0<4.21.0.0 | |
| CODESYS Control for PFC100 SL | vers:generic/4.15.0.0<4.21.0.0 | |
| CODESYS Control for PFC200 SL | vers:generic/4.15.0.0<4.21.0.0 | |
| CODESYS Control for PLCnext SL | vers:generic/4.15.0.0<4.21.0.0 | |
| CODESYS Control for Raspberry Pi SL | vers:generic/4.15.0.0<4.21.0.0 | |
| CODESYS Control for WAGO Touch Panels 600 SL | vers:generic/<4.21.0.0 | |
| CODESYS Control for emPC-A/iMX6 SL | vers:generic/4.15.0.0<4.21.0.0 | |
| CODESYS HMI (SL) | vers:generic/3.5.21.0<3.5.22.20 | |
| CODESYS Runtime Toolkit | vers:generic/3.5.21.0<3.5.22.20 | |
| CODESYS Virtual Control SL | vers:generic/4.15.0.0<4.21.0.0 |
Vulnerabilities
Expand / Collapse allThe affected products perform improper length checking when parsing incoming HTTP requests, resulting in a size-limited out-of-bounds write. An unauthenticated remote attacker can exploit this flaw to cause a denial of service via a system crash on the affected device.
Remediation
Update the following products to version 3.5.22.20.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS HMI (SL)
* CODESYS Runtime Toolkit
Update the following products to version 4.21.0.0. The release of this version is expected in June 2026.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
Acknowledgments
CODESYS GmbH thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://www.certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 05/26/2026 12:00 | Initial revision. |