Critical CODESYS Vulnerabilities Let Attackers Backdoor PLCs
Key Takeaways Multiple critical vulnerabilities have been discovered in the CODESYS Control runtime, a widely used software-based programmable logic controller (SoftPLC) platform. Chaining these...
Key Takeaways
- Multiple critical vulnerabilities have been discovered in the CODESYS Control runtime, a widely used software-based programmable logic controller (SoftPLC) platform.
- Chaining these flaws allows an authenticated attacker to inject malicious code, backdoor PLCs, and gain full administrative control.
- The vulnerabilities impact file permissions and backup restoration mechanisms.
- Affected systems are prevalent across various industrial sectors, including energy, water treatment, and manufacturing.
- Patches are available in CODESYS Control Runtime version 4.21.0.0 and Toolkit version 3.5.22.0.
Critical Flaws in CODESYS Control Runtime Expose Industrial PLCs to Backdooring
Cybersecurity researchers have identified a series of severe vulnerabilities within the CODESYS Control runtime, a foundational component for many industrial control systems globally. This software-based programmable logic controller (SoftPLC) platform is integral to operations in diverse sectors, ranging from critical infrastructure like water treatment and energy grids to complex automated manufacturing lines.
Table Of Content
Analysis by Nozomi Networks Labs reveals that these security weaknesses, when exploited in sequence, enable an authenticated attacker to replace legitimate industrial control applications with malicious, backdoored versions. This process culminates in a complete privilege escalation, granting the attacker full administrative control over the targeted device.
Given that these PLCs directly govern physical processes, successful exploitation could lead to severe consequences, including production outages, extensive equipment damage, or the creation of hazardous operational environments.
Understanding the Vulnerabilities
The CODESYS Control runtime is responsible for managing real-time input/output processing and network communications within automated systems. The recently uncovered vulnerabilities primarily affect how the runtime handles file permissions and the restoration of backup files. Specifically, three CVEs have been assigned:
- CVE-2025-41658 (CVSS 5.5, Medium): This flaw stems from incorrect default permissions, allowing local users to read sensitive CODESYS password hashes.
- CVE-2025-41659 (CVSS 8.3, High): Improper permissions grant low-privilege users unauthorized access to critical cryptographic data.
- CVE-2025-41660 (CVSS 8.8, High): A defect in resource transfer mechanisms permits the restoration of a tampered boot application onto the device.
The Attack Chain Explained
For an attacker to leverage these vulnerabilities, initial access to valid Service-level credentials is required. While standard security measures typically mitigate this, attackers could acquire these credentials through various methods, such as exploiting default passwords, compromising an engineering workstation, or utilizing CVE-2025-41658 to extract password hashes.
Once authenticated, the attack progresses through several distinct phases:
- Application Download: The attacker first uses the platform’s backup functionality to download the active boot application from the PLC.
- Cryptographic Key Theft: By exploiting CVE-2025-41659, the attacker extracts essential cryptographic material. This allows them to bypass optional code encryption and signing protections implemented by the system.
- Tampering and Restoration: The attacker then injects malicious machine code into the downloaded binary. If necessary, they re-sign the tampered application and exploit CVE-2025-41660 to upload this backdoored version to the device.
- Root Execution: The malicious code executes with root privileges when an operator restarts the application or reboots the system.
- Privilege Escalation: With root access, the attacker modifies the local user database, granting themselves full Administrator rights on the system.
A compromised Soft PLC provides adversaries with the ability to manipulate actuator behavior, alter critical safety setpoints, and override vital system interlocks, posing significant risks to industrial operations.
This attack methodology aligns with several MITRE ATT&CK for ICS techniques, including Manipulation of Control (T0831), Module Firmware modification (T0839), and Theft of Operational Information (T0882).
Patches and Mitigations
CODESYS Group has fully addressed these security issues. Patches are available in CODESYS Control Runtime version 4.21.0.0 and Toolkit version 3.5.22.0. To further enhance security and prevent future tampering, CODESYS has made code signing a mandatory default for all PLC code prior to its deployment or execution.
What You Should Do
- Apply Updates Immediately: Update all CODESYS Control Runtime installations to version 4.21.0.0 and Toolkit to version 3.5.22.0 without delay.
- Enforce Network Segmentation: Implement strict network segmentation to isolate industrial control systems from enterprise networks and the internet.
- Monitor Industrial Networks: Continuously monitor industrial network traffic for any suspicious activity or unauthorized access attempts.
- Review Access Controls: Regularly audit and enforce least privilege principles for all user accounts, especially those with Service-level access to PLCs.
- Implement Strong Authentication: Ensure strong, unique passwords are used for all accounts, and consider multi-factor authentication where possible.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.