CVE-2025-34226
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-03

Last updated on: 2025-11-13

Assigner: VulnCheck

Description
OpenPLC Runtime v3 contains an input validation flaw in the /upload-program-action endpoint: the epoch_time field supplied during program uploads is not validated and can be crafted to induce corruption of the programs database. After a successful malformed upload the runtime continues to operate until a restart; on restart the runtime can fail to start because of corrupted database entries, resulting in persistent denial of service requiring complete rebase of the product to recover. This vulnerability was remediated by commit 095ee09.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-03
Last Modified
2025-11-13
Generated
2026-06-16
AI Q&A
2025-10-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34226
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
autonomy openplc_runtime 3
autonomy openplc_runtime 3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an input validation flaw in OpenPLC Runtime v3's /upload-program-action endpoint. Specifically, the epoch_time field provided during program uploads is not properly validated, allowing an attacker to craft a malformed input that corrupts the programs database. Although the runtime continues to operate after the malformed upload, it may fail to start after a restart due to the corrupted database, causing a persistent denial of service that requires a complete rebase of the product to recover.

Impact Analysis

The impact of this vulnerability is a persistent denial of service. After a successful malformed upload, the OpenPLC Runtime may continue running until it is restarted. Upon restart, the runtime can fail to start because of corrupted database entries, making the system unavailable until a full rebase of the product is performed to recover.

Mitigation Strategies

To mitigate this vulnerability, avoid uploading programs with crafted or malformed epoch_time fields to the /upload-program-action endpoint. Apply the patch that remediated the issue, specifically the commit 095ee09623dd229b64ad3a1db38a901a3772f6fc. Additionally, monitor for any signs of database corruption and be prepared to rebase the product if a restart failure occurs due to corrupted database entries.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart