Share: Email | Twitter

ID

VDE-2025-075

Published

2025-09-09 10:00 (CEST)

Last update

2025-09-08 10:36 (CEST)

Vendor(s)

Beckhoff Automation GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
TE1000 | TwinCAT 3 Enineering < 3.1.4024.67

Summary

Beckhoff's TwinCAT 3 Engineering software is intented to craft automation projects consisting of a set of files which are stored locally as files underneath an individual folder or in a packed file. The TwinCAT 3 Engineering stores user settings and preferences among the non packed local files which are relevant to continue former work on the project conventienly. TwinCAT 3 Engineering stores such settings in files which are called "Solution User Options (.suo) File". When such settings are manipulated or crafted by an adversary in a specific way then TwinCAT 3 Engineering executes arbitrary commands as determined by these settings when the user uses TwinCAT 3 Engineering to open the project. These arbitrary commands are executed in the user context.

Please note that solution user option files should not be checked in to source code control. This is also a best practice when working with source code projects and solutions. For example, see https://learn.microsoft.com/en-us/visualstudio/extensibility/internals/solution-user-options-dot-suo-file and https://infosys.beckhoff.com/content/1033/tc3_sourcecontrol/14604066827.html.

The vulnerability is similar to older vulnerabilities that were addressed in the CODESYS Development System V3 product from CODESYS GmbH with CVE-2021-21864, CVE-2021-21865, CVE-2021-21866, CVE-2021-21867, CVE-2021-21868, CVE-2021-21869, and the associated Advisory 2021-13 from CODESYS GmbH.

CVE ID

CVE-2025-41701

Last Update:

Sept. 8, 2025, 10:34 a.m.

Severity

7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) 

Weakness

Deserialization of Untrusted Data  (CWE-502) 

Summary

An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. These arbitrary commands are executed in the user context.

Details

certvde.com 

Impact

An attacker with access to local files can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. These arbitrary commands are executed in the user context. When older affected versions of the engineering tool are installed then the deliberate manipulation of the project file can cause that these are used to open it.

Please note that TwinCAT 3 Engineering offers the "Remote Manager" feature (see https://infosys.beckhoff.com/content/1033/tc3_remote_manager/index.html?id=1584127271344589360) which means that older versions of TwinCAT 3 Engineering can stay installed in parallel to more recent versions. TwinCAT projects can be "pinned" to be edited with a fixed version, see https://infosys.beckhoff.com/content/1033/tc3_remote_manager/3154642571.html. If such a pinned project is opened while a more recent version of TwinCAT 3 Engineering is installed and at the same time the matching older version of TwinCAT 3 Engineering is still installed then the project is automatically passed from the more recent version to the matching older version and edited with that older version where that older version is vulnerable.

Solution

Remediation

Please update to a recent version of the affected product and uninstall older versions of TwinCAT 3 Engineering. Make sure that older versions of TwinCAT 3 Engineering do not occur as "Remote Manager" versions, see https://infosys.beckhoff.com/content/1033/tc3_remote_manager/index.html?id=1584127271344589360. Remove the "pinning" from your projects to older versions of TwinCAT 3 Engineering, if present, see https://infosys.beckhoff.com/content/1033/tc3_remote_manager/3154642571.html.

Reported by

CERT@VDE coordinated with Beckhoff

Beckhoff thanks Peter Cheng from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc. for Reported by