Codesys — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/codesys/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 25 Mar 2026 12:00:00 +0000CODESYS Control Runtime System Audit Log DoS Vulnerability (CVE-2026-3509)https://feed.craftedsignal.io/briefs/2026-03-codesys-dos/Wed, 25 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-codesys-dos/An unauthenticated remote attacker can exploit CVE-2026-3509 in the CODESYS Control runtime system to control the format string of messages processed by the Audit Log, leading to a denial-of-service (DoS) condition.<p>CVE-2026-3509 describes a format string vulnerability within the Audit Log of the CODESYS Control runtime system. This vulnerability allows an unauthenticated remote attacker to influence the format string of messages processed by the affected system. Successful exploitation of this vulnerability results in a denial-of-service (DoS) condition, impacting the availability of the CODESYS Control runtime system. The vulnerability was reported on March 24, 2026. CODESYS is a popular development…</p> highadvisorycodesysdoscve-2026-3509icsotCODESYS Multiple Vulnerabilities Allow Arbitrary Code Execution and DoShttps://feed.craftedsignal.io/briefs/2026-03-codesys-vulns/Wed, 25 Mar 2026 09:46:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-codesys-vulns/Multiple vulnerabilities in CODESYS allow a remote attacker to execute arbitrary program code and conduct a denial-of-service attack.Multiple vulnerabilities have been identified in CODESYS, a software platform widely used for industrial automation. These vulnerabilities, if exploited, could allow a remote attacker to execute arbitrary program code on affected systems and/or cause a denial-of-service (DoS) condition. Given the prevalence of CODESYS in critical infrastructure and manufacturing environments, these vulnerabilities pose a significant risk. Public details are limited, but the potential impact necessitates immediate action from defenders to identify and mitigate potentially vulnerable CODESYS installations. Successful exploitation can lead to significant disruption of industrial processes, data manipulation, and potentially physical damage depending on the affected systems.

Attack Chain

  1. Attacker identifies a vulnerable CODESYS installation accessible over the network (e.g., via Shodan or similar).
  2. Attacker crafts a malicious request specifically targeting one of the CODESYS vulnerabilities. Due to lack of specifics, this step is generic. Example attack vectors could include crafted network packets or malicious project files.
  3. The malicious request is sent to the vulnerable CODESYS service.
  4. The CODESYS service improperly processes the request due to the vulnerability.
  5. This improper processing leads to arbitrary code execution within the context of the CODESYS service.
  6. The attacker executes malicious code to gain control of the CODESYS runtime. This code could install a backdoor, modify control logic, or exfiltrate data.
  7. Alternatively, the malformed request triggers a denial-of-service condition, causing the CODESYS service or the entire system to crash.
  8. The attacker disrupts industrial processes or gains unauthorized access to the industrial control system.

Impact

Successful exploitation of these CODESYS vulnerabilities can have severe consequences, including unauthorized access to industrial control systems, disruption of critical infrastructure, data manipulation, and potentially physical damage. The number of affected systems is potentially large, given the widespread use of CODESYS in various sectors including manufacturing, energy, and transportation. A successful attack could lead to significant financial losses, reputational damage, and even safety risks.

Recommendation

  • Monitor network traffic for suspicious activity targeting CODESYS services. Use the network connection rule below to detect unusual processes connecting to CODESYS ports.
  • Implement strict network segmentation to limit the exposure of CODESYS installations to external networks.
  • Since specific CVEs are not available, regularly check the CODESYS website for security updates and apply them immediately.
  • Investigate any crashes or unexpected behavior of CODESYS services, using process creation logs with the process creation rule below to see if the crash was caused by a malicious process.
]]>criticaladvisorycodesysvulnerabilityarbitrary-code-executiondenial-of-serviceics