CVE-2026-8047
BaseFortify
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codesys | control | to 3.5.22.20 (inc) |
| codesys | control | to 4.21.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-8047 vulnerability affects multiple CODESYS Control products due to improper bounds checking in the CmpWebServer component.
This flaw allows an unauthenticated remote attacker to send a specially crafted HTTP request that triggers a size-limited out-of-bounds write.
As a result, the CODESYS Control Runtime crashes, causing a denial of service on the affected device.
The issue only impacts systems where the web server is active, which requires a running application with enabled Web Visualization.
How can this vulnerability impact me? :
An unauthenticated remote attacker can exploit this vulnerability to cause a denial of service by crashing the affected device.
This means that the system running the vulnerable CODESYS Control product could become unavailable, potentially disrupting operations that depend on it.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects systems running CODESYS Control products with the web server active, specifically when Web Visualization is enabled. Detection involves identifying if the affected CODESYS Control Runtime versions are in use and if the web server component (CmpWebServer) is running.
Since the vulnerability is triggered by specially crafted HTTP requests causing out-of-bounds writes and crashes, monitoring for unusual HTTP requests or system crashes related to the web server may help detect exploitation attempts.
Specific commands are not provided in the available resources, but general steps include checking running processes for CODESYS Control Runtime and verifying the version installed to determine if it is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected CODESYS Control products to the fixed versions: 3.5.22.20 or 4.21.0.0, depending on the product platform.
Additionally, if possible, disable the web server component or Web Visualization feature until the update can be applied, as the vulnerability only impacts systems with the web server active.
Monitoring network traffic for suspicious HTTP requests and restricting access to the web server may also reduce the risk of exploitation.