wid-sec-w-2026-0832 · Published 2026-03-23 · View on BSI CERT-Bund ↗

CODESYS: Multiple Vulnerabilities

CVSS 8.8 HIGH

Risk Summary

A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.

CVEs (2)

CVE-2025-41660 CVE-2026-3509

Affected Vendors

CODESYS

Affected Products (4)

CODESYS · CODESYS <3.5.22.0

CODESYS · CODESYS 3.5.22.0

CODESYS · CODESYS <4.21.0.0

CODESYS · CODESYS 4.21.0.0

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more