{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2025-41660/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CODESYS Control Runtime"],"_cs_severities":["high"],"_cs_tags":["codesys","unauthorized-code-execution","cve-2025-41660"],"_cs_type":"advisory","_cs_vendors":["CODESYS"],"content_html":"\u003cp\u003eCVE-2025-41660 describes a vulnerability in the CODESYS Control runtime system. A low-privileged remote attacker can exploit this vulnerability to replace the boot application of the CODESYS Control runtime system. This allows the attacker to execute unauthorized code on the affected system. The vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity. The vulnerability was published on 2026-03-24. This vulnerability allows for complete compromise of the affected CODESYS system, potentially disrupting industrial control processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains low-privileged network access to the CODESYS Control runtime system.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2025-41660 to initiate the boot application replacement process. This likely involves sending a crafted request to a specific network service exposed by the CODESYS runtime.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious boot application to the CODESYS Control runtime system.\u003c/li\u003e\n\u003cli\u003eThe system validates (or fails to properly validate) the new boot application.\u003c/li\u003e\n\u003cli\u003eThe CODESYS Control runtime system reboots and loads the malicious boot application.\u003c/li\u003e\n\u003cli\u003eThe malicious boot application executes arbitrary code on the system, granting the attacker control.\u003c/li\u003e\n\u003cli\u003eThe attacker can now manipulate industrial control processes, potentially causing damage or disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-41660 allows a low-privileged attacker to gain complete control over the CODESYS Control runtime system. This could lead to disruption of industrial control processes, data theft, or physical damage to equipment. The CODESYS platform is used in a wide range of industries, including manufacturing, energy, and infrastructure, so the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates from CODESYS to address CVE-2025-41660 as soon as they are released.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic to CODESYS Control runtime systems for suspicious activity related to boot application replacement. Consider deploying the Sigma rules below.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit access to CODESYS Control runtime systems from untrusted networks.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong authentication and authorization policies for CODESYS Control runtime systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-21T12:00:00Z","date_published":"2024-01-21T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-codesys-boot-app-replace/","summary":"A low-privileged remote attacker can replace the boot application of the CODESYS Control runtime system via CVE-2025-41660, leading to unauthorized code execution.","title":"CODESYS Control Runtime Boot Application Replacement Vulnerability (CVE-2025-41660)","url":"https://feed.craftedsignal.io/briefs/2024-01-codesys-boot-app-replace/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2025-41660","version":"https://jsonfeed.org/version/1.1"}