<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CODESYS Control Runtime - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/codesys-control-runtime/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 21 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/codesys-control-runtime/feed.xml" rel="self" type="application/rss+xml"/><item><title>CODESYS Control Runtime Boot Application Replacement Vulnerability (CVE-2025-41660)</title><link>https://feed.craftedsignal.io/briefs/2024-01-codesys-boot-app-replace/</link><pubDate>Sun, 21 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-codesys-boot-app-replace/</guid><description>A low-privileged remote attacker can replace the boot application of the CODESYS Control runtime system via CVE-2025-41660, leading to unauthorized code execution.</description><content:encoded><![CDATA[<p>CVE-2025-41660 describes a vulnerability in the CODESYS Control runtime system. A low-privileged remote attacker can exploit this vulnerability to replace the boot application of the CODESYS Control runtime system. This allows the attacker to execute unauthorized code on the affected system. The vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity. The vulnerability was published on 2026-03-24. This vulnerability allows for complete compromise of the affected CODESYS system, potentially disrupting industrial control processes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains low-privileged network access to the CODESYS Control runtime system.</li>
<li>The attacker exploits CVE-2025-41660 to initiate the boot application replacement process. This likely involves sending a crafted request to a specific network service exposed by the CODESYS runtime.</li>
<li>The attacker uploads a malicious boot application to the CODESYS Control runtime system.</li>
<li>The system validates (or fails to properly validate) the new boot application.</li>
<li>The CODESYS Control runtime system reboots and loads the malicious boot application.</li>
<li>The malicious boot application executes arbitrary code on the system, granting the attacker control.</li>
<li>The attacker can now manipulate industrial control processes, potentially causing damage or disruption.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-41660 allows a low-privileged attacker to gain complete control over the CODESYS Control runtime system. This could lead to disruption of industrial control processes, data theft, or physical damage to equipment. The CODESYS platform is used in a wide range of industries, including manufacturing, energy, and infrastructure, so the potential impact is significant.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply available patches or updates from CODESYS to address CVE-2025-41660 as soon as they are released.</li>
<li>Monitor network traffic to CODESYS Control runtime systems for suspicious activity related to boot application replacement. Consider deploying the Sigma rules below.</li>
<li>Implement network segmentation to limit access to CODESYS Control runtime systems from untrusted networks.</li>
<li>Review and enforce strong authentication and authorization policies for CODESYS Control runtime systems.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>codesys</category><category>unauthorized-code-execution</category><category>cve-2025-41660</category></item></channel></rss>