CVE-2026-35227
Unauthenticated TCP Connection Exhaustion in CODESYS Modbus TCP Server
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codesys | modbus_tcp_server | to 4.6.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-772 | The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-35227 vulnerability affects the CODESYS Modbus TCP Server, specifically versions prior to 4.6.0.0. It is caused by improper resource management in the Modbus TCP Server protocol stack library, which can be exploited through a race condition in connection handling.
An unauthenticated remote attacker can trigger this race condition to exhaust the maximum number of TCP connections configured on the server. This prevents new connections from being accepted, effectively denying legitimate clients access to the server.
The vulnerability only exists in CODESYS projects that include a Modbus TCP server configuration.
How can this vulnerability impact me? :
This vulnerability can be exploited by an unauthenticated remote attacker to exhaust all available TCP connections on the CODESYS Modbus TCP Server.
As a result, legitimate clients will be unable to establish new connections to the server, causing a denial of service (DoS) condition.
This can disrupt normal operations and communication with the affected device or system, potentially impacting industrial control processes that rely on the Modbus TCP Server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves exhaustion of all available TCP connections in the CODESYS Modbus TCP Server stack due to a race condition in connection handling. Detection would involve monitoring the number of active TCP connections to the Modbus TCP Server and identifying if the maximum configured connections are being reached unexpectedly, preventing new legitimate connections.
Specific commands are not provided in the available resources, but typical network or system commands to monitor TCP connections include using tools like netstat or ss on the server hosting the Modbus TCP Server to check current TCP connection states and counts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the CODESYS Modbus TCP Server to version 4.6.0.0 or later.
Additionally, update the local Modbus TCP Server in the device tree and perform a download of the updated CODESYS application to the PLC.
The fix can be obtained through the CODESYS Installer, CODESYS Store, or the CODESYS Update area.