Summary
The Firmware installed on the CR3171 is impacted by various CODESYS vulnerabilities.
Impact
CVE-2025-41659 : Unauthorized access to PKI files allows attackers to extract sensitive cryptographic keys and manipulate trusted certificates. This compromises system integrity, confidentiality and partially affects availability.
CVE-2025-41658 : The affected products do not explicitly restrict read permissions for other local operating system users, potentially allowing unauthorized access to sensitive runtime files.
CVE-2025-41691 : Exploitation of this vulnerability can lead to a denial-of-service (DoS) condition on affected PLCs, disrupting industrial control systems.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| CR3171 | Firmware 3.1, Firmware 3.2 |
Vulnerabilities
Expand / Collapse allA low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.
An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition.
CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions.
Mitigation
CVE-2025-41659 : The vulnerability affects devices running firmware versions prior to 3.3. Due to the nature of the issue, no configuration changes, operational workarounds, or compensating controls are available that would sufficiently reduce the associated risk. Therefore, it is essential to update the affected device to firmware version 3.3.
Operating the device on earlier firmware versions results in continued exposure to the vulnerability. Once firmware version 3.3 is installed, the vulnerability is considered fully resolved.
CVE-2025-41658 : If the CODESYS Control runtime system is operated on an operating system with multi-user support, other users may potentially gain access to runtime-related files. Thus, it is essential to configure the storage locations for CODESYS Control runtime files in accordance with the operating system's security best practices. These locations should, by default, restrict access to unauthorized users. If the operating system does not support such access control mechanisms or if implementing them is not feasible, an alternative approach is to explicitly revoke read and write permissions for all non-administrative users on the directories used by the CODESYS Control runtime system.
The following directories must be secured:
* The directory containing configuration files
* The directory containing binary files
* The working directory used by the runtime system
Note: Protecting individual files is not sufficient. The entire directories must be secured to ensure that any files created in the future are also protected.
As possible countermeasures, it can be examined whether avoiding the use of the CODESYS environment in one's own application design is feasible.
Alternatively, where applicable, all non-administrative user accounts can be removed from the system, and their re-creation should be prevented. Additionally, it is recommended to disable remote access methods that allow file access (e.g., SSH) wherever possible, in order to reduce the overall attack surface.
Best practice recommendations for Linux and QNX Systems:
* Create a dedicated privileged group for accessing the above-mentioned directories, and add the user account under which the runtime process is executed to this group.
* Set the file system permissions for these directories to deny access to "other" users (e.g., chmod o-rx).
* If access for additional users is required, they can be added to the privileged group as needed.
CVE-2025-41691 : The vulnerability can be mitigated by restricting the allowed login authentication type "CmpUserMgr/UserLogin_AuthenticationType" to "ONLY_ASYMMETRIC". This can be configured either via the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg) by adding the following setting:
[CmpUserMgr]
SECURITY.UserLogin_AuthenticationType=ONLY_ASYMMETRIC
With this configuration in place, both potential attackers and legacy CODESYS protocol clients (prior to version 3.5.16.0) will be blocked from logging in, thereby preventing execution of the vulnerable code path.
As possible countermeasures, it can be examined whether avoiding the use of the CODESYS environment in one's own application design is feasible.
Remediation
Update to the Firmware Version 3.3
Acknowledgments
ifm electronic GmbH thanks the following parties for their efforts:
- CERT@VDE for coordination
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 05/06/2026 10:00 | initial release |