CVE-2026-3509
Received Received - Intake
Format String Vulnerability in CODESYS Audit Log Causes DoS

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: CERT VDE

Description
An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3509
EUVD
EUVD-2026-14784
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
codesys control_rte From 3.5.17.0 (inc) to 3.5.22.0 (exc)
codesys control_rte_for_beckhoff_cx_sl From 3.5.17.0 (inc) to 3.5.22.0 (exc)
codesys control_win From 3.5.17.0 (inc) to 3.5.22.0 (exc)
codesys runtime_toolkit From 3.5.17.0 (inc) to 3.5.22.0 (exc)
codesys control_for_beaglebone From 4.1.0.0 (inc) to 4.21.0.0 (exc)
codesys control_for_empc_a_imx6 From 4.1.0.0 (inc) to 4.21.0.0 (exc)
codesys control_for_iot2000 From 4.1.0.0 (inc) to 4.21.0.0 (exc)
codesys control_for_linux_arm From 4.1.0.0 (inc) to 4.21.0.0 (exc)
codesys control_for_linux From 4.1.0.0 (inc) to 4.21.0.0 (exc)
codesys control_for_pfc100 From 4.1.0.0 (inc) to 4.21.0.0 (exc)
codesys control_for_pfc200 From 4.1.0.0 (inc) to 4.21.0.0 (exc)
codesys control_for_plcnext From 4.1.0.0 (inc) to 4.21.0.0 (exc)
codesys control_for_raspberry_pi From 4.1.0.0 (inc) to 4.21.0.0 (exc)
codesys control_for_wago_touch_panels_600 From 4.1.0.0 (inc) to 4.21.0.0 (exc)
codesys virtual_control_sl From 4.1.0.0 (inc) to 4.21.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-134 The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-3509 is a vulnerability in the CODESYS Control runtime system's Audit Log component (CmpAuditLog) where an unauthenticated remote attacker can control the format string of audit log messages."}, {'type': 'paragraph', 'content': 'This is an externally-controlled format string vulnerability (CWE-134) that can be exploited to cause a denial-of-service (DoS) condition by crashing the CODESYS Control runtime system.'}, {'type': 'paragraph', 'content': 'The vulnerability affects multiple versions of CODESYS Control runtimes and toolkits across various platforms.'}] [1]

Impact Analysis

The primary impact of this vulnerability is a denial-of-service (DoS) condition that disrupts the availability of the CODESYS Control runtime system.

Since the attacker can remotely and unauthenticated control the format string of audit log messages, they can crash the runtime system, potentially causing industrial control systems to become unavailable.

This can lead to operational disruptions in environments relying on affected CODESYS Control products.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects multiple versions of the CODESYS Control runtime system and related products. Detection involves identifying if your system is running an affected version of CODESYS Control runtimes or toolkits.

You can check the version of the CODESYS Control runtime installed on your system to determine if it falls within the vulnerable ranges: versions 3.5.17.0 up to but not including 3.5.22.0 for 3.x products, and versions 4.1.0.0 up to but not including 4.21.0.0 for 4.x products.

Since the vulnerability involves the Audit Log feature, you can also check the configuration files for the Audit Log settings to see if the Audit Log is enabled.

Suggested commands (depending on your system) include:

  • Check the installed CODESYS Control runtime version, for example by querying the software version via the CODESYS interface or using system package/version commands.
  • Inspect the configuration file (often named related to CmpAuditLog or Audit Log) for the Audit Log settings, looking for lines like: [CmpLog] Logger.0.Name=.Audit.log Logger.0.Enable=1
  • On Linux-based systems, you might use commands like `grep -i audit /path/to/codesys/configuration/file` to find if Audit Log is enabled.
  • Monitor network traffic for unusual or malformed audit log messages that could indicate exploitation attempts, using tools like tcpdump or Wireshark.
Mitigation Strategies

The immediate mitigation step is to disable the Audit Log feature in the CODESYS Control runtime configuration to prevent exposure to the vulnerability.

This can be done by setting the following configuration parameters:

  • [CmpLog] Logger.0.Name=.Audit.log Logger.0.Enable=0

Additionally, you should update affected products to fixed versions as soon as possible:

  • For 3.x products (CODESYS Control RTE (SL), RTE for Beckhoff CX SL, Control Win (SL), Runtime Toolkit), update to version 3.5.22.0 or later.
  • For 4.x products (Control for BeagleBone, emPC-A/iMX6, IOT2000, Linux ARM, Linux, PFC100, PFC200, PLCnext, Raspberry Pi, WAGO Touch Panels 600, Virtual Control SL), update to version 4.21.0.0 or later, expected to be released in Q2 2026.

Updates and further information are available via the CODESYS Installer, CODESYS Store, or the CODESYS Update area at https://www.codesys.com/download/.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3509. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart