Back to overview

CODESYS Control V3 - NULL pointer dereference

VDE-2025-070
Last update
09/01/2025 12:00
Published at
08/04/2025 12:00
Vendor(s)
CODESYS GmbH
External ID
Advisory2025-08_VDE-2025-070
CSAF Document
Download

Summary

A vulnerability in the CODESYS Control runtime system's CmpDevice component allows unauthenticated attackers to cause a denial-of-service (DoS) via specially crafted communication requests.
The issue is triggered by a NULL pointer dereference and also affects systems when outdated CODESYS clients attempt to log in.
Only PLCs based on the CODESYS Runtime Toolkit containing the components CmpDevice, CmpAuditLog, and CmpSessionInformation are impacted.

Update 1.1.0, 01.09.2025: Updated remediation category - fixed SL runtimes are now available.

Impact

Exploitation of this vulnerability can lead to a denial-of-service (DoS) condition on affected PLCs, disrupting industrial control systems.

Affected Product(s)

Model no. Product name Affected versions
CODESYS Control RTE (SL) 3.5.21.10 < 3.5.21.20 CODESYS Control RTE (SL) 3.5.21.10 < 3.5.21.20
CODESYS Control RTE (for Beckhoff CX) SL 3.5.21.10 < 3.5.21.20 CODESYS Control RTE (for Beckhoff CX) SL 3.5.21.10 < 3.5.21.20
CODESYS Control Win (SL) 3.5.21.10 < 3.5.21.20 CODESYS Control Win (SL) 3.5.21.10 < 3.5.21.20
CODESYS Control for BeagleBone SL 4.16.0.0 < 4.17.0.0 CODESYS Control for BeagleBone SL 4.16.0.0 < 4.17.0.0
CODESYS Control for IOT2000 SL 4.16.0.0 < 4.17.0.0 CODESYS Control for IOT2000 SL 4.16.0.0 < 4.17.0.0
CODESYS Control for Linux ARM SL 4.16.0.0 < 4.17.0.0 CODESYS Control for Linux ARM SL 4.16.0.0 < 4.17.0.0
CODESYS Control for Linux SL 4.16.0.0 < 4.17.0.0 CODESYS Control for Linux SL 4.16.0.0 < 4.17.0.0
CODESYS Control for PFC100 SL 4.16.0.0 < 4.17.0.0 CODESYS Control for PFC100 SL 4.16.0.0 < 4.17.0.0
CODESYS Control for PFC200 SL 4.16.0.0 < 4.17.0.0 CODESYS Control for PFC200 SL 4.16.0.0 < 4.17.0.0
CODESYS Control for PLCnext SL 4.16.0.0 < 4.17.0.0 CODESYS Control for PLCnext SL 4.16.0.0 < 4.17.0.0
CODESYS Control for Raspberry Pi SL 4.16.0.0 < 4.17.0.0 CODESYS Control for Raspberry Pi SL 4.16.0.0 < 4.17.0.0
CODESYS Control for WAGO Touch Panels 600 SL 4.16.0.0 < 4.17.0.0 CODESYS Control for WAGO Touch Panels 600 SL 4.16.0.0 < 4.17.0.0
CODESYS Control for emPC-A/iMX6 SL 4.16.0.0 < 4.17.0.0 CODESYS Control for emPC-A/iMX6 SL 4.16.0.0 < 4.17.0.0
CODESYS HMI (SL) 3.5.21.10 < 3.5.21.20 CODESYS HMI (SL) 3.5.21.10 < 3.5.21.20
CODESYS Virtual Control SL 4.16.0.0 < 4.17.0.0 CODESYS Virtual Control SL 4.16.0.0 < 4.17.0.0

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness
NULL Pointer Dereference (CWE-476)
Summary

An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition.

References
cve.org | nvd.nist.gov

Mitigation

The vulnerability can be mitigated by restricting the allowed login authentication type "CmpUserMgr/UserLogin_AuthenticationType" to "ONLY_ASYMMETRIC". This can be configured either via the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg) by adding the following setting:

[CmpUserMgr]
SECURITY.UserLogin_AuthenticationType=ONLY_ASYMMETRIC

With this configuration in place, both potential attackers and legacy CODESYS protocol clients (prior to version 3.5.16.0) will be blocked from logging in, thereby preventing execution of the vulnerable code path.

Remediation

Update the following products to version 3.5.21.20.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS Runtime Toolkit

Update the following products to version 4.17.0.0.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL

The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.

Revision History

Version Date Summary
1.0.0 08/04/2025 12:00 Initial revision.
1.1.0 09/01/2025 12:00 Updated remediation category - fixed SL runtimes are now available.