CVE-2025-34226
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-34226, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-03

Last updated on: 2025-11-13

Assigner: VulnCheck

Description

OpenPLC Runtime v3 contains an input validation flaw in the /upload-program-action endpoint: the epoch_time field supplied during program uploads is not validated and can be crafted to induce corruption of the programs database. After a successful malformed upload the runtime continues to operate until a restart; on restart the runtime can fail to start because of corrupted database entries, resulting in persistent denial of service requiring complete rebase of the product to recover. This vulnerability was remediated by commit 095ee09.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-03
Last Modified
2025-11-13
Generated
2026-07-06
AI Q&A
2025-10-03
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
autonomy openplc_runtime 3
autonomy openplc_runtime 3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an input validation flaw in OpenPLC Runtime v3's /upload-program-action endpoint. Specifically, the epoch_time field provided during program uploads is not properly validated, allowing an attacker to craft a malformed input that corrupts the programs database. Although the runtime continues to operate after the malformed upload, it may fail to start after a restart due to the corrupted database, causing a persistent denial of service that requires a complete rebase of the product to recover.

Impact Analysis

The impact of this vulnerability is a persistent denial of service. After a successful malformed upload, the OpenPLC Runtime may continue running until it is restarted. Upon restart, the runtime can fail to start because of corrupted database entries, making the system unavailable until a full rebase of the product is performed to recover.

Mitigation Strategies

To mitigate this vulnerability, avoid uploading programs with crafted or malformed epoch_time fields to the /upload-program-action endpoint. Apply the patch that remediated the issue, specifically the commit 095ee09623dd229b64ad3a1db38a901a3772f6fc. Additionally, monitor for any signs of database corruption and be prepared to rebase the product if a restart failure occurs due to corrupted database entries.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart