Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/CyberSecurity News/Critical CODESYS Vulnerabilities Let Attackers Backdoor PLCs
CyberSecurity News

Critical CODESYS Vulnerabilities Let Attackers Backdoor PLCs

Key Takeaways Multiple critical vulnerabilities have been discovered in the CODESYS Control runtime, a widely used software-based programmable logic controller (SoftPLC) platform. Chaining these...

Marcus Rodriguez
Marcus Rodriguez
April 27, 2026 3 Min Read
46 0

Key Takeaways

  • Multiple critical vulnerabilities have been discovered in the CODESYS Control runtime, a widely used software-based programmable logic controller (SoftPLC) platform.
  • Chaining these flaws allows an authenticated attacker to inject malicious code, backdoor PLCs, and gain full administrative control.
  • The vulnerabilities impact file permissions and backup restoration mechanisms.
  • Affected systems are prevalent across various industrial sectors, including energy, water treatment, and manufacturing.
  • Patches are available in CODESYS Control Runtime version 4.21.0.0 and Toolkit version 3.5.22.0.

Critical Flaws in CODESYS Control Runtime Expose Industrial PLCs to Backdooring

Cybersecurity researchers have identified a series of severe vulnerabilities within the CODESYS Control runtime, a foundational component for many industrial control systems globally. This software-based programmable logic controller (SoftPLC) platform is integral to operations in diverse sectors, ranging from critical infrastructure like water treatment and energy grids to complex automated manufacturing lines.

Table Of Content

  • Key Takeaways
  • Critical Flaws in CODESYS Control Runtime Expose Industrial PLCs to Backdooring
  • Understanding the Vulnerabilities
  • The Attack Chain Explained
  • Patches and Mitigations
  • What You Should Do

Analysis by Nozomi Networks Labs reveals that these security weaknesses, when exploited in sequence, enable an authenticated attacker to replace legitimate industrial control applications with malicious, backdoored versions. This process culminates in a complete privilege escalation, granting the attacker full administrative control over the targeted device.

Given that these PLCs directly govern physical processes, successful exploitation could lead to severe consequences, including production outages, extensive equipment damage, or the creation of hazardous operational environments.

Understanding the Vulnerabilities

The CODESYS Control runtime is responsible for managing real-time input/output processing and network communications within automated systems. The recently uncovered vulnerabilities primarily affect how the runtime handles file permissions and the restoration of backup files. Specifically, three CVEs have been assigned:

  • CVE-2025-41658 (CVSS 5.5, Medium): This flaw stems from incorrect default permissions, allowing local users to read sensitive CODESYS password hashes.
  • CVE-2025-41659 (CVSS 8.3, High): Improper permissions grant low-privilege users unauthorized access to critical cryptographic data.
  • CVE-2025-41660 (CVSS 8.8, High): A defect in resource transfer mechanisms permits the restoration of a tampered boot application onto the device.

The Attack Chain Explained

For an attacker to leverage these vulnerabilities, initial access to valid Service-level credentials is required. While standard security measures typically mitigate this, attackers could acquire these credentials through various methods, such as exploiting default passwords, compromising an engineering workstation, or utilizing CVE-2025-41658 to extract password hashes.

Once authenticated, the attack progresses through several distinct phases:

  • Application Download: The attacker first uses the platform’s backup functionality to download the active boot application from the PLC.
  • Cryptographic Key Theft: By exploiting CVE-2025-41659, the attacker extracts essential cryptographic material. This allows them to bypass optional code encryption and signing protections implemented by the system.
  • Tampering and Restoration: The attacker then injects malicious machine code into the downloaded binary. If necessary, they re-sign the tampered application and exploit CVE-2025-41660 to upload this backdoored version to the device.
  • Root Execution: The malicious code executes with root privileges when an operator restarts the application or reboots the system.
  • Privilege Escalation: With root access, the attacker modifies the local user database, granting themselves full Administrator rights on the system.

A compromised Soft PLC provides adversaries with the ability to manipulate actuator behavior, alter critical safety setpoints, and override vital system interlocks, posing significant risks to industrial operations.

This attack methodology aligns with several MITRE ATT&CK for ICS techniques, including Manipulation of Control (T0831), Module Firmware modification (T0839), and Theft of Operational Information (T0882).

Patches and Mitigations

CODESYS Group has fully addressed these security issues. Patches are available in CODESYS Control Runtime version 4.21.0.0 and Toolkit version 3.5.22.0. To further enhance security and prevent future tampering, CODESYS has made code signing a mandatory default for all PLC code prior to its deployment or execution.

What You Should Do

  • Apply Updates Immediately: Update all CODESYS Control Runtime installations to version 4.21.0.0 and Toolkit to version 3.5.22.0 without delay.
  • Enforce Network Segmentation: Implement strict network segmentation to isolate industrial control systems from enterprise networks and the internet.
  • Monitor Industrial Networks: Continuously monitor industrial network traffic for any suspicious activity or unauthorized access attempts.
  • Review Access Controls: Regularly audit and enforce least privilege principles for all user accounts, especially those with Service-level access to PLCs.
  • Implement Strong Authentication: Ensure strong, unique passwords are used for all accounts, and consider multi-factor authentication where possible.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Vidar Malware Evades Detection by Hiding Payloads in JPEG and TXT Files

Next Post

Microsoft Store App Vibing.exe Harvested Screens, Audio, and Clipboard Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us