CODESYS Control V3 - Untrusted boot application

The CODESYS Control runtime system provides a user management mechanism with multiple privilege groups. While only the privileged Administrators and Developer groups are intended to load or debug applications on the controller, users in the restricted Service group are allowed to perform maintenance operations, including explicitly replacing the boot application.

In addition to access control, the CODESYS Control runtime system includes an optional application signing feature. When enabled, the controller executes only applications that have been validly signed by authorized developers. However, the CmpApp component of the CODESYS Control runtime systems allows Service‑group users to install a new boot application without requiring any cryptographic validation, if the application signing is not enforced.

As a result, users with Service‑level privileges can install arbitrary boot applications and gain control over the code executed on the controller.

Note: The user group "Service" is a predefined group within the CODESYS Control runtime system. If additional user groups have been created or if the permissions of predefined groups have been modified, then the term "Service" should be understood as a synonym for all groups and their users with no or only limited access rights to the "PlcLogic" object, in conjunction with "Add/Remove" or "Modify" permissions for the boot application files.

Exploitation of this vulnerability may allow a low-priviledged remote attacker to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution on the PLC.

Without applying the update, the vulnerability can be mitigated by enforcing the use of signed applications through the following setting:
[CmpApp]
SECURITY.EnforceSignedCode=YES

This can be configured either via the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg). When this option is enabled, the CODESYS Control runtime system loads only trusted and valid signed applications.

Alternatively, all users belonging to the Service group can be removed, or the Service group can be deleted entirely.

If none of the other mitigation options are feasible, the permissions of the Service group can be restricted by adjusting their access rights. For example, removing modify permissions for the Service group on relevant file system objects can prevent the upload of untrusted boot applications. However, such changes must be applied with caution, as they may lead to inconsistent permissions for this user group and result in unexpected operational limitations. Therefore, this approach should only be considered after a careful assessment of the specific situation.

Update the following products to version 3.5.22.0.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS HMI (SL)
* CODESYS Runtime Toolkit

Update the following products to version 4.21.0.0. The release of this version is expected for Q2 2026.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL

As part of the update, a new configuration file is provided that contains the following setting, which defines the behavior for Service‑group users:
[CmpApp]
SECURITY.UnsignedApplicationFileTransfer=DENY

When this configuration file is used, such as during a new installation, the CODESYS Control runtime system is protected by default.

CODESYS Control runtime systems that continue to use an existing configuration will default to the value ALLOW_WITH_WARNING to ensure compatibility. This setting can be changed either through the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg) by adding the following setting in the section [CmpApp]:
SECURITY.UnsignedApplicationFileTransfer=

The setting supports the following values:

DENY --> Transfer of unsigned applications is blocked (recommended)

ALLOW_WITH_WARNING --> Transfer is permitted and a warning is logged (default for existing installations)

ALLOW --> Transfer of unsigned applications is permitted (not recommended)

The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area [4].

CODESYS GmbH thanks the following parties for their efforts:

• CERT@VDE for coordination (see https://www.certvde.com )
• Luca Borzacchiello from Nozomi Networks for reporting