On certain operating systems (e.g., Linux), default file system permissions may allow read access to the files of the CODESYS Control runtime system for non-administrator users. The documentation provided with the CODESYS Runtime Toolkit does not explicitly address this risk. As a result, products based on the toolkit may unintentionally expose sensitive runtime files to local operating system users with limited privileges.

CODESYS Control runtime system based devices are affected if they provide access to the operating system (e.g., via a local user interface or SSH) and user accounts without administrator rights for this access exist or can be created.

A vulnerability in the CODESYS Control runtime system allows low-privileged remote attackers to access the PKI folder via CODESYS protocol, enabling them to read and write certificates and keys. This exposes sensitive cryptographic data and allows unauthorized certificates to be trusted. However, all services remain available, only certificate based encryption and signing features are concerned. The issue affects systems using the optional CmpOpenSSL component for cryptographic operations.

Update 1.1.0, 01.09.2025: Updated remediation category - fixed SL runtimes are now available.

A vulnerability in the CODESYS Control runtime system's CmpDevice component allows unauthenticated attackers to cause a denial-of-service (DoS) via specially crafted communication requests. The issue is triggered by a NULL pointer dereference and also affects systems when outdated CODESYS clients attempt to log in. Only PLCs based on the CODESYS Runtime Toolkit containing the components CmpDevice, CmpAuditLog, and CmpSessionInformation are impacted.

Update 1.1.0, 01.09.2025: Updated remediation category - fixed SL runtimes are now available.

An authenticated remote attacker can exploit an undocumented method to escape the LUA sandbox in REX200/250 devices, enabling the execution of arbitrary operating system commands and leading to full system compromise.

An authenticated remote attacker can exploit an undocumented method to escape the LUA sandbox in mbNET devices, enabling the execution of arbitrary operating system commands and leading to full system compromise.

Multiple vulnerabilities in all REX 100 devices with firmware <= 2.3.2 that allow an attacker to gain full control over the device.

Multiple vulnerabilities in all mbNET.mini devices with firmware <= 2.3.2 that allow an attacker to gain full control over the device.

Multiple vulnerabilities in the PLCnext system allowed low-privileged remote attackers to gain unauthorized access or trigger system reboots by manipulating configuration files and symbolic links. Affected services include watchdog, arp-preinit, and security-profile, potentially exposing critical system files. These issues have been resolved in firmware version 2025.0.2.