Home

Description

A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.

PUBLISHED Reserved 2025-04-16 | Published 2025-08-04 | Updated 2025-08-04 | Assigner CERTVDE




HIGH: 8.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-732 Incorrect Permission Assignment for Critical Resource

Product status

Default status
unaffected

0.0.0.0 (semver) before 3.5.21.20
affected

Default status
unaffected

0.0.0.0 (semver) before 3.5.21.20
affected

Default status
unaffected

0.0.0.0 (semver) before 3.5.21.20
affected

Default status
unaffected

0.0.0.0 (semver) before 3.5.21.20
affected

Default status
unaffected

0.0.0.0 (semver) before 3.5.21.20
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Default status
unaffected

0.0.0.0 (semver) before 4.17.0.0
affected

Credits

Luca Borzacchiello from Nozomi Networks finder

References

certvde.com/de/advisories/VDE-2025-051

cve.org (CVE-2025-41659)

nvd.nist.gov (CVE-2025-41659)

Download JSON