CVE-2026-3509
Format String Vulnerability in CODESYS Audit Log Causes DoS
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codesys | control_rte | From 3.5.17.0 (inc) to 3.5.22.0 (exc) |
| codesys | control_rte_for_beckhoff_cx_sl | From 3.5.17.0 (inc) to 3.5.22.0 (exc) |
| codesys | control_win | From 3.5.17.0 (inc) to 3.5.22.0 (exc) |
| codesys | runtime_toolkit | From 3.5.17.0 (inc) to 3.5.22.0 (exc) |
| codesys | control_for_beaglebone | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
| codesys | control_for_empc_a_imx6 | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
| codesys | control_for_iot2000 | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
| codesys | control_for_linux_arm | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
| codesys | control_for_linux | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
| codesys | control_for_pfc100 | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
| codesys | control_for_pfc200 | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
| codesys | control_for_plcnext | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
| codesys | control_for_raspberry_pi | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
| codesys | control_for_wago_touch_panels_600 | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
| codesys | virtual_control_sl | From 4.1.0.0 (inc) to 4.21.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-134 | The product uses a function that accepts a format string as an argument, but the format string originates from an external source. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3509 is a vulnerability in the CODESYS Control runtime system's Audit Log component (CmpAuditLog) where an unauthenticated remote attacker can control the format string of audit log messages."}, {'type': 'paragraph', 'content': 'This is an externally-controlled format string vulnerability (CWE-134) that can be exploited to cause a denial-of-service (DoS) condition by crashing the CODESYS Control runtime system.'}, {'type': 'paragraph', 'content': 'The vulnerability affects multiple versions of CODESYS Control runtimes and toolkits across various platforms.'}] [1]
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial-of-service (DoS) condition that disrupts the availability of the CODESYS Control runtime system.
Since the attacker can remotely and unauthenticated control the format string of audit log messages, they can crash the runtime system, potentially causing industrial control systems to become unavailable.
This can lead to operational disruptions in environments relying on affected CODESYS Control products.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects multiple versions of the CODESYS Control runtime system and related products. Detection involves identifying if your system is running an affected version of CODESYS Control runtimes or toolkits.
You can check the version of the CODESYS Control runtime installed on your system to determine if it falls within the vulnerable ranges: versions 3.5.17.0 up to but not including 3.5.22.0 for 3.x products, and versions 4.1.0.0 up to but not including 4.21.0.0 for 4.x products.
Since the vulnerability involves the Audit Log feature, you can also check the configuration files for the Audit Log settings to see if the Audit Log is enabled.
Suggested commands (depending on your system) include:
- Check the installed CODESYS Control runtime version, for example by querying the software version via the CODESYS interface or using system package/version commands.
- Inspect the configuration file (often named related to CmpAuditLog or Audit Log) for the Audit Log settings, looking for lines like: [CmpLog] Logger.0.Name=.Audit.log Logger.0.Enable=1
- On Linux-based systems, you might use commands like `grep -i audit /path/to/codesys/configuration/file` to find if Audit Log is enabled.
- Monitor network traffic for unusual or malformed audit log messages that could indicate exploitation attempts, using tools like tcpdump or Wireshark.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to disable the Audit Log feature in the CODESYS Control runtime configuration to prevent exposure to the vulnerability.
This can be done by setting the following configuration parameters:
- [CmpLog] Logger.0.Name=.Audit.log Logger.0.Enable=0
Additionally, you should update affected products to fixed versions as soon as possible:
- For 3.x products (CODESYS Control RTE (SL), RTE for Beckhoff CX SL, Control Win (SL), Runtime Toolkit), update to version 3.5.22.0 or later.
- For 4.x products (Control for BeagleBone, emPC-A/iMX6, IOT2000, Linux ARM, Linux, PFC100, PFC200, PLCnext, Raspberry Pi, WAGO Touch Panels 600, Virtual Control SL), update to version 4.21.0.0 or later, expected to be released in Q2 2026.
Updates and further information are available via the CODESYS Installer, CODESYS Store, or the CODESYS Update area at https://www.codesys.com/download/.