{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/codesys/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["codesys","dos","cve-2026-3509","ics","ot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3509 describes a format string vulnerability within the Audit Log of the CODESYS Control runtime system. This vulnerability allows an unauthenticated remote attacker to influence the format string of messages processed by the affected system. Successful exploitation of this vulnerability results in a denial-of-service (DoS) condition, impacting the availability of the CODESYS Control runtime system. The vulnerability was reported on March 24, 2026. CODESYS is a popular development…\u003c/p\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-codesys-dos/","summary":"An unauthenticated remote attacker can exploit CVE-2026-3509 in the CODESYS Control runtime system to control the format string of messages processed by the Audit Log, leading to a denial-of-service (DoS) condition.","title":"CODESYS Control Runtime System Audit Log DoS Vulnerability (CVE-2026-3509)","url":"https://feed.craftedsignal.io/briefs/2026-03-codesys-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["codesys","vulnerability","arbitrary-code-execution","denial-of-service","ics"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in CODESYS, a software platform widely used for industrial automation. These vulnerabilities, if exploited, could allow a remote attacker to execute arbitrary program code on affected systems and/or cause a denial-of-service (DoS) condition. Given the prevalence of CODESYS in critical infrastructure and manufacturing environments, these vulnerabilities pose a significant risk. Public details are limited, but the potential impact necessitates immediate action from defenders to identify and mitigate potentially vulnerable CODESYS installations. Successful exploitation can lead to significant disruption of industrial processes, data manipulation, and potentially physical damage depending on the affected systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable CODESYS installation accessible over the network (e.g., via Shodan or similar).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request specifically targeting one of the CODESYS vulnerabilities. Due to lack of specifics, this step is generic. Example attack vectors could include crafted network packets or malicious project files.\u003c/li\u003e\n\u003cli\u003eThe malicious request is sent to the vulnerable CODESYS service.\u003c/li\u003e\n\u003cli\u003eThe CODESYS service improperly processes the request due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThis improper processing leads to arbitrary code execution within the context of the CODESYS service.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious code to gain control of the CODESYS runtime. This code could install a backdoor, modify control logic, or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eAlternatively, the malformed request triggers a denial-of-service condition, causing the CODESYS service or the entire system to crash.\u003c/li\u003e\n\u003cli\u003eThe attacker disrupts industrial processes or gains unauthorized access to the industrial control system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these CODESYS vulnerabilities can have severe consequences, including unauthorized access to industrial control systems, disruption of critical infrastructure, data manipulation, and potentially physical damage. The number of affected systems is potentially large, given the widespread use of CODESYS in various sectors including manufacturing, energy, and transportation. A successful attack could lead to significant financial losses, reputational damage, and even safety risks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity targeting CODESYS services. Use the network connection rule below to detect unusual processes connecting to CODESYS ports.\u003c/li\u003e\n\u003cli\u003eImplement strict network segmentation to limit the exposure of CODESYS installations to external networks.\u003c/li\u003e\n\u003cli\u003eSince specific CVEs are not available, regularly check the CODESYS website for security updates and apply them immediately.\u003c/li\u003e\n\u003cli\u003eInvestigate any crashes or unexpected behavior of CODESYS services, using process creation logs with the process creation rule below to see if the crash was caused by a malicious process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T09:46:08Z","date_published":"2026-03-25T09:46:08Z","id":"/briefs/2026-03-codesys-vulns/","summary":"Multiple vulnerabilities in CODESYS allow a remote attacker to execute arbitrary program code and conduct a denial-of-service attack.","title":"CODESYS Multiple Vulnerabilities Allow Arbitrary Code Execution and DoS","url":"https://feed.craftedsignal.io/briefs/2026-03-codesys-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Codesys","version":"https://jsonfeed.org/version/1.1"}