CVE-2025-41660
Boot Application Replacement Vulnerability in CODESYS Control Runtime
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codesys | control_rte | * |
| codesys | control | * |
| codesys | hmi | * |
| codesys | runtime_toolkit | * |
| codesys | virtual_control | to 3.5.22.0 (exc) |
| codesys | control | to 4.21.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-41660 is a vulnerability in the CODESYS Control V3 runtime system that allows a low-privileged remote attacker to replace the boot application of the system. The runtime system manages user privileges across groups such as Administrators, Developers, and a restricted Service group. Normally, only Administrators and Developers can load or debug applications, while the Service group can perform maintenance tasks including replacing the boot application.
The vulnerability exists because if application signing enforcement is disabled, users in the Service group can install a new boot application without cryptographic validation. This means an attacker with Service-level access can replace the boot application arbitrarily, leading to unauthorized code execution on the programmable logic controller (PLC).
Affected products include various versions of CODESYS Control RTE, CODESYS Control for multiple platforms, CODESYS HMI, Runtime Toolkit, and Virtual Control prior to versions 3.5.22.0 or 4.21.0.0 depending on the platform.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows unauthorized code execution on the affected system. An attacker with low privileges can replace the boot application, potentially gaining control over the programmable logic controller (PLC).
The CVSS v3.1 score of 8.8 (High severity) reflects that the attack can be performed remotely over the network with low complexity and no user interaction, and it affects confidentiality, integrity, and availability of the system.
- Unauthorized code execution on critical control systems.
- Potential disruption or manipulation of industrial processes controlled by the PLC.
- Compromise of system confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking the configuration of the CODESYS Control runtime system, specifically whether application signing enforcement is enabled.'}, {'type': 'paragraph', 'content': 'You should verify if the setting `[CmpApp] SECURITY.EnforceSignedCode` is set to YES in the CODESYSControl.cfg configuration file or in the CODESYS Development System.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring logs for warnings related to unsigned application transfers can help detect attempts to exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'Commands to check configuration files or logs depend on your system environment, but examples include:'}, {'type': 'list_item', 'content': "On Linux-based systems, use `grep 'EnforceSignedCode' /path/to/CODESYSControl.cfg` to check the enforcement setting."}, {'type': 'list_item', 'content': 'Use `tail -f /var/log/codesys.log` or the relevant log file to monitor for warnings about unsigned application transfers.'}, {'type': 'list_item', 'content': 'Check user permissions for the Service group to see if they have modify rights on boot application files.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include enforcing application signing to ensure only cryptographically signed and authorized applications can be loaded.'}, {'type': 'paragraph', 'content': 'This can be done by setting `[CmpApp] SECURITY.EnforceSignedCode=YES` in the CODESYS Development System or directly in the CODESYSControl.cfg configuration file.'}, {'type': 'paragraph', 'content': "Alternatively, you can remove or restrict the Service group's permissions, especially revoking modify rights on boot application files, to prevent unauthorized replacement of the boot application."}, {'type': 'paragraph', 'content': 'However, restricting Service group permissions may cause operational issues and should be carefully assessed.'}, {'type': 'paragraph', 'content': 'The definitive remediation is to update affected products to version 3.5.22.0 or 4.21.0.0 (expected Q2 2026), which introduces a new configuration setting `[CmpApp] SECURITY.UnsignedApplicationFileTransfer=DENY` that blocks unsigned application transfers by default.'}] [1]