Full Report
New research from Nozomi Networks Labs reveals that attackers can chain multiple vulnerabilities in the widely used CODESYS... The post Chained vulnerabilities in CODESYS runtime could allow root-level control of industrial devices, Nozomi warns appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: CODESYS Control Runtime Privilege Escalation and Logic Tampering Chain
## CVE Details
- **CVE ID:**
- **CVE-2025-41658:** Local access vulnerability allowing the reading of password hashes.
- **CVE-2025-41659:** Unauthorized access to cryptographic material/keys on the Soft PLC.
- **CVE-2025-41660:** Vulnerability in the backup/restore mechanism allowing the overwrite of legitimate applications.
- **CVSS Score:** Not explicitly listed in the article, but characterized by "Root-level control" and "Critical infrastructure" impact (Estimated High/Critical).
- **CWE:** CWE-287 (Improper Authentication), CWE-311 (Missing Encryption), CWE-94 (Code Injection).
## Affected Systems
- **Products:** CODESYS Control runtime (Multiple variants).
- **Versions:** Broad set of CODESYS Control runtimes (Specific versions not listed; Nozomi tested on CODESYS Control for Raspberry Pi SL).
- **Configurations:** Systems utilizing the CODESYS Development System’s backup/restore functionality and those with default or weak "Service-level" credentials.
## Vulnerability Description
Researchers identified a chain of vulnerabilities that allow an authenticated "Service-level" user to escalate privileges to "Root." The flaw resides in how the runtime handles backup files and cryptographic material.
1. **Credential Access:** Attackers gain Service-level access (via weak passwords or CVE-2025-41658).
2. **Key Extraction:** Using CVE-2025-41659, the attacker extracts cryptographic keys used for code signing and encryption.
3. **Logic Tampering:** The attacker downloads the boot application, decrypts it, injects malicious machine code, and re-signs/re-encrypts it using the stolen keys.
4. **Restoration:** Using CVE-2025-41660, the attacker restores the malicious application to the PLC.
5. **Execution:** Upon the next reboot, the malicious code executes with root privileges.
## Exploitation
- **Status:** PoC developed by Nozomi Networks Labs (No confirmed "in the wild" exploitation mentioned).
- **Complexity:** Medium (Requires knowledge of CODESYS protocols and logic tampering).
- **Attack Vector:** Network (to access the runtime) or Local (to gain initial credentials).
## Impact
- **Confidentiality:** High (Extraction of cryptographic keys and password hashes).
- **Integrity:** High (Unauthorized modification of industrial control logic and system binaries).
- **Availability:** High (Ability to halt production, cause unsafe physical conditions, or brick the device).
## Remediation
### Patches
- While the article references the researcher’s findings, users should consult the official **CODESYS Advisory Portal** for specific security updates related to CVE-2025-41658, CVE-2025-41659, and CVE-2025-41660.
### Workarounds
- **Credential Hardening:** Change default Service-level and Administrator passwords immediately.
- **Network Segmentation:** Isolate PLC management traffic from the corporate network.
- **Physical/Local Security:** Limit local access to Soft PLCs to prevent local credential harvesting via CVE-2025-41658.
- **Disable Unused Services:** Disable the backup/restore feature if not strictly required for operations.
## Detection
- **Indicators of Compromise:** Unexpected system reboots followed by unauthorized changes in PLC logic; modification of the user database; unauthorized backup/restore events in CODESYS logs.
- **Detection Methods:** Monitor network traffic for unusual large-file transfers (backups) to/from PLCs via the CODESYS protocol; use ICS-aware IDS/IPS to detect exploitation of known CODESYS vulnerabilities.
## References
- Nozomi Networks Labs Research: hxxps[://]www[.]nozominetworks[.]com/blog/
- Industrial Cyber Article: hxxps[://]industrialcyber[.]co/threats-attacks/chained-vulnerabilities-in-codesys-runtime-could-allow-root-level-control-of-industrial-devices-nozomi-warns/
- CODESYS Security Advisories: hxxps[://]security[.]codesys[.]com/
- MITRE ATT&CK for ICS: hxxps[://]attack[.]mitre[.]org/matrices/ics/