Summary
A vulnerability in the CODESYS Control runtime system allows low-privileged remote attackers to access the PKI folder via CODESYS protocol, enabling them to read and write certificates and keys. This exposes sensitive cryptographic data and allows unauthorized certificates to be trusted. However, all services remain available, only certificate based encryption and signing features are concerned. The issue affects systems using the optional CmpOpenSSL component for cryptographic operations.
Update 1.1.0, 01.09.2025: Updated remediation category - fixed SL runtimes are now available.
Impact
Unauthorized access to PKI files allows attackers to extract sensitive cryptographic keys and manipulate trusted certificates. This compromises system integrity, confidentiality and partially affects availability.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| CODESYS Control RTE (SL) < 3.5.21.20 | CODESYS Control RTE (SL) < 3.5.21.20 | |
| CODESYS Control RTE (for Beckhoff CX) SL < 3.5.21.20 | CODESYS Control RTE (for Beckhoff CX) SL < 3.5.21.20 | |
| CODESYS Control Win (SL) < 3.5.21.20 | CODESYS Control Win (SL) < 3.5.21.20 | |
| CODESYS Control for BeagleBone SL < 4.17.0.0 | CODESYS Control for BeagleBone SL < 4.17.0.0 | |
| CODESYS Control for IOT2000 SL < 4.17.0.0 | CODESYS Control for IOT2000 SL < 4.17.0.0 | |
| CODESYS Control for Linux ARM SL < 4.17.0.0 | CODESYS Control for Linux ARM SL < 4.17.0.0 | |
| CODESYS Control for Linux SL < 4.17.0.0 | CODESYS Control for Linux SL < 4.17.0.0 | |
| CODESYS Control for PFC100 SL < 4.17.0.0 | CODESYS Control for PFC100 SL < 4.17.0.0 | |
| CODESYS Control for PFC200 SL < 4.17.0.0 | CODESYS Control for PFC200 SL < 4.17.0.0 | |
| CODESYS Control for PLCnext SL < 4.17.0.0 | CODESYS Control for PLCnext SL < 4.17.0.0 | |
| CODESYS Control for Raspberry Pi SL < 4.17.0.0 | CODESYS Control for Raspberry Pi SL < 4.17.0.0 | |
| CODESYS Control for WAGO Touch Panels 600 SL < 4.17.0.0 | CODESYS Control for WAGO Touch Panels 600 SL < 4.17.0.0 | |
| CODESYS Control for emPC-A/iMX6 SL < 4.17.0.0 | CODESYS Control for emPC-A/iMX6 SL < 4.17.0.0 | |
| CODESYS HMI (SL) < 3.5.21.20 | CODESYS HMI (SL) < 3.5.21.20 | |
| CODESYS Runtime Toolkit < 3.5.21.20 | CODESYS Runtime Toolkit < 3.5.21.20 | |
| CODESYS Virtual Control SL < 4.17.0.0 | CODESYS Virtual Control SL < 4.17.0.0 |
Vulnerabilities
Expand / Collapse allA low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.
Remediation
Update the following products to version 3.5.21.20.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS HMI (SL)
* CODESYS Runtime Toolkit
Update the following products to version 4.17.0.0.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.
Following our general recommendation that the PKI should only be managed via the dedicated X.509 API or the corresponding online services of the CODESYS Control runtime system, the programmatic direct access via SysFile or SysDir operations or online access via the CODESYS file transfer services is denied after an update to a fixed product version. For compatibility reasons, the old behavior can be restored for applications that use these accesses via the following setting:
[CmpOpenSSL]
EnforceBlacklistOnPKIDir=0
However, CODESYS GmbH strongly recommends keeping the new default.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 04.08.2025 12:00 | Initial revision. |
| 1.1.0 | 01.09.2025 12:00 | Updated remediation category - fixed SL runtimes are now available. |