{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openplc/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenPLC v3"],"_cs_severities":["critical"],"_cs_tags":["ics","scada","vulnerability","rce","authenticated-rce","file-write","cwe-73"],"_cs_type":"advisory","_cs_vendors":["OpenPLC"],"content_html":"\u003cp\u003eOpenPLC v3 is affected by CVE-2026-14480, an authenticated arbitrary file write vulnerability (CWE-73) within its legacy web UI program-upload workflow. This critical flaw allows an authenticated attacker to manipulate the \u003ccode\u003eprog_file\u003c/code\u003e parameter, typically used for specifying a filename, to instead provide a path traversal sequence. The system fails to validate or restrict this path, enabling the attacker to write arbitrary files to any location writable by the OpenPLC webserver process. This arbitrary file write can be escalated to arbitrary native code execution; by injecting a malicious C++ file into the OpenPLC Runtime Core directory, an attacker can ensure their code is automatically compiled and executed as part of the normal OpenPLC program compilation process when an operator starts the runtime. This vulnerability poses a significant risk to critical infrastructure sectors including Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater, with deployments worldwide. OpenPLC v3 is now end-of-life and will not receive patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker logs into the OpenPLC v3 web UI, typically using legitimate or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the legacy program-upload workflow, which handles PLC program submissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request, sending a crafted \u003ccode\u003eprog_file\u003c/code\u003e parameter containing a path traversal sequence (e.g., \u003ccode\u003e../../../OpenPLC_Runtime_Core/malicious.cpp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to insufficient path validation, the OpenPLC webserver process writes the attacker-controlled malicious C++ file (e.g., \u003ccode\u003emalicious.cpp\u003c/code\u003e) to the specified arbitrary location within the OpenPLC Runtime Core directory.\u003c/li\u003e\n\u003cli\u003eAt a later point, a legitimate operator initiates a normal program compilation and runtime start operation within the OpenPLC environment.\u003c/li\u003e\n\u003cli\u003eDuring this standard compilation process, the attacker's previously written \u003ccode\u003emalicious.cpp\u003c/code\u003e file is automatically included, compiled, and linked into the OpenPLC runtime binary.\u003c/li\u003e\n\u003cli\u003eThe newly compiled OpenPLC runtime binary, now containing the attacker's embedded code, is executed.\u003c/li\u003e\n\u003cli\u003eThis execution leads to arbitrary native code execution on the OpenPLC server, with the privileges of the OpenPLC runtime user, potentially compromising the control system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14480 allows an authenticated attacker to achieve arbitrary native code execution as the OpenPLC runtime user. This grants the attacker significant control over the affected system, enabling them to disrupt operations, manipulate processes, or exfiltrate sensitive data. Given OpenPLC's deployment in critical infrastructure sectors such as Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater, the impact could range from operational disruption and safety hazards to widespread system compromise and economic damage. OpenPLC v3 being end-of-life means that affected organizations are left vulnerable unless they upgrade to v4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all OpenPLC v3 instances to OpenPLC v4 immediately, as recommended by OpenPLC, due to OpenPLC v3 being end-of-life and no longer receiving security updates for CVE-2026-14480.\u003c/li\u003e\n\u003cli\u003eMinimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet, as highlighted in the CISA recommendations.\u003c/li\u003e\n\u003cli\u003eLocate control system networks and remote devices behind firewalls and isolate them from business networks, as advised by CISA for CVE-2026-14480.\u003c/li\u003e\n\u003cli\u003eWhen remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), and ensure VPNs are updated to the most current version available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T15:57:54Z","date_published":"2026-07-09T15:57:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openplc-v3-arbitrary-file-write/","summary":"An authenticated arbitrary file write vulnerability (CVE-2026-14480) in OpenPLC v3's legacy web UI program-upload workflow allows attackers to write arbitrary files, escalating to arbitrary native code execution as the OpenPLC runtime user when an operator triggers program compilation.","title":"OpenPLC v3 Arbitrary File Write Leads to Native Code Execution (CVE-2026-14480)","url":"https://feed.craftedsignal.io/briefs/2026-07-openplc-v3-arbitrary-file-write/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenPLC","version":"https://jsonfeed.org/version/1.1"}