9 matches found
CVE-2019-9013
CVE-2019-9013 affects 3S-Smart CODESYS V3 products containing CmpUserMgr; the root cause is that credentials may be transported without TLS protection, enabling credential exposure. Affected are multiple CODESYS V3 runtimes and HMI/SDK components across BeagleBone, emPC-A/iMX6, IOT2000, Linux, PF...
CVE-2022-22515
CVE-2022-22515 affects the CODESYS Control runtime system. A remote, authenticated attacker could use the control program to read and modify the affected product’s configuration files. The available documents describe the impact (unauthorized read/write of config files) and the attack path but do...
CVE-2023-3663
CVE-2023-3663 concerns the CODESYS Development System: versions 3.5.11.0–3.5.19.20 suffer a missing integrity check in the HTTP notification content, allowing an unauthenticated remote attacker to manipulate notifications sent by the CODESYS notification server. This can enable MITM-style manipul...
CVE-2021-21865
CVE-2021-21865 affects CODESYS Development System 3.5.16. The vulnerability is in PackageManagement.plugin ExtensionMethods.Clone(), which leverages BinaryFormatter to serialize/deserialize and exposes deserialization of untrusted data, enabling arbitrary command execution on exploitation (as des...
CVE-2022-4224
CVE-2022-4224 affects CODESYS v3 in multiple versions. A remote, low-privilege attacker could read/modify system files and OS resources or cause a DoS. CVSSv3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (base score 8.8). No concrete remediation details are provided in the supplied documents; ex...
CVE-2021-21866
CODESYS Development System 3.5.16–3.5.17 contains an unsafe deserialization vulnerability in the ObjectManager.plugin’s ProfileInformation.ProfileData. The issue arises from using BinaryFormatter.Deserialize on untrusted input when loading the profile data (ProfileData property), enabling a craft...
CVE-2021-21863
The TALOS report documents a deserialization vulnerability in CODESYS Development System 3.5.16–3.5.17. The flaw is in ComponentModel.Profile.FromFile(), which deserializes a profile via BinaryFormatter.Deserialize, a known unsafe pattern for untrusted input. This can lead to arbitrary code execu...
CVE-2026-44468
CVE-2026-44468 affects CODESYS Development System. During administrative installation, the process creates a directory with insecure default permissions, allowing a low‑privileged local attacker to modify a temporary file that defines components to be installed. This enables local privilege escal...
CVE-2026-44469
The CVE-2026-44469 entry concerns CODESYS Development System. During administrative installation, installation files are extracted to a temporary directory with incorrect default permissions. A low-privileged local attacker could exploit a TOCTOU race condition within a practical time window to r...