CODESYS Runtime Vulnerabilities Enable Backdoor Attacks on Industrial Control Systems

Severity: High (Score: 70.5)

Sources: www.nozominetworks.com, Industrialcyber.Co

Summary

Research from Nozomi Networks Labs has identified multiple vulnerabilities in the CODESYS Control runtime, allowing authenticated attackers to backdoor industrial control applications. The vulnerabilities, which include CVE-2025-41658, CVE-2025-41659, and CVE-2025-41660, enable attackers with Service-level credentials to replace legitimate applications with malicious ones that execute with root privileges. This poses a significant risk to CODESYS-powered PLCs used in critical sectors such as manufacturing, energy, and water systems. The flaws allow for the extraction of cryptographic material and bypassing of security protections like code signing. All identified vulnerabilities have been patched in the latest versions of CODESYS Control Runtime and Toolkit. Operators are urged to apply these updates immediately to mitigate risks. The attack vector primarily exploits weak credential management and can lead to severe operational disruptions. Key Points: • Multiple vulnerabilities in CODESYS Control runtime allow backdoor attacks. • Attackers can exploit Service-level credentials to gain root access. • CODESYS has released patches for the identified vulnerabilities.

Key Entities

• Codesys Group (company)
• Nozomi Networks Labs (company)
• CVE-2025-41658 (cve)
• CVE-2025-41659 (cve)
• CVE-2025-41660 (cve)
• application.app (domain)
• applicationname.app (domain)
• Energy (industry)
• Manufacturing (industry)
• Raspberry Pi (tool)
• Windows (platform)