CVE-2025-41660
Received Received - Intake
Boot Application Replacement Vulnerability in CODESYS Control Runtime

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: CERT VDE

Description
A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-14
NVD
CVE-2025-41660
EUVD
EUVD-2025-208957
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
codesys control_rte *
codesys control *
codesys hmi *
codesys runtime_toolkit *
codesys virtual_control to 3.5.22.0 (exc)
codesys control to 4.21.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-41660 is a vulnerability in the CODESYS Control V3 runtime system that allows a low-privileged remote attacker to replace the boot application of the system. The runtime system manages user privileges across groups such as Administrators, Developers, and a restricted Service group. Normally, only Administrators and Developers can load or debug applications, while the Service group can perform maintenance tasks including replacing the boot application.

The vulnerability exists because if application signing enforcement is disabled, users in the Service group can install a new boot application without cryptographic validation. This means an attacker with Service-level access can replace the boot application arbitrarily, leading to unauthorized code execution on the programmable logic controller (PLC).

Affected products include various versions of CODESYS Control RTE, CODESYS Control for multiple platforms, CODESYS HMI, Runtime Toolkit, and Virtual Control prior to versions 3.5.22.0 or 4.21.0.0 depending on the platform.

Impact Analysis

This vulnerability can have serious impacts because it allows unauthorized code execution on the affected system. An attacker with low privileges can replace the boot application, potentially gaining control over the programmable logic controller (PLC).

The CVSS v3.1 score of 8.8 (High severity) reflects that the attack can be performed remotely over the network with low complexity and no user interaction, and it affects confidentiality, integrity, and availability of the system.

  • Unauthorized code execution on critical control systems.
  • Potential disruption or manipulation of industrial processes controlled by the PLC.
  • Compromise of system confidentiality, integrity, and availability.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking the configuration of the CODESYS Control runtime system, specifically whether application signing enforcement is enabled.'}, {'type': 'paragraph', 'content': 'You should verify if the setting `[CmpApp] SECURITY.EnforceSignedCode` is set to YES in the CODESYSControl.cfg configuration file or in the CODESYS Development System.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring logs for warnings related to unsigned application transfers can help detect attempts to exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'Commands to check configuration files or logs depend on your system environment, but examples include:'}, {'type': 'list_item', 'content': "On Linux-based systems, use `grep 'EnforceSignedCode' /path/to/CODESYSControl.cfg` to check the enforcement setting."}, {'type': 'list_item', 'content': 'Use `tail -f /var/log/codesys.log` or the relevant log file to monitor for warnings about unsigned application transfers.'}, {'type': 'list_item', 'content': 'Check user permissions for the Service group to see if they have modify rights on boot application files.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include enforcing application signing to ensure only cryptographically signed and authorized applications can be loaded.'}, {'type': 'paragraph', 'content': 'This can be done by setting `[CmpApp] SECURITY.EnforceSignedCode=YES` in the CODESYS Development System or directly in the CODESYSControl.cfg configuration file.'}, {'type': 'paragraph', 'content': "Alternatively, you can remove or restrict the Service group's permissions, especially revoking modify rights on boot application files, to prevent unauthorized replacement of the boot application."}, {'type': 'paragraph', 'content': 'However, restricting Service group permissions may cause operational issues and should be carefully assessed.'}, {'type': 'paragraph', 'content': 'The definitive remediation is to update affected products to version 3.5.22.0 or 4.21.0.0 (expected Q2 2026), which introduces a new configuration setting `[CmpApp] SECURITY.UnsignedApplicationFileTransfer=DENY` that blocks unsigned application transfers by default.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41660. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart