Multiple vulnerabilities in the CODESYS Control runtime, one of the world\u2019s most widely adopted software-based programmable logic controller (Soft PLC)<\/a> platforms.<\/p>\n According to Nozomi Networks Labs researchers, by chaining these security flaws, an authenticated attacker can replace a legitimate industrial control application with a backdoored version, thereby escalating their privileges to full administrative control of the targeted device.<\/p>\n CODESYS is utilized across diverse industrial sectors, from water treatment facilities and energy grids to automated manufacturing lines.<\/p>\n Because these PLCs directly govern physical processes, an exploited vulnerability can result in halted production, equipment damage, or hazardous operating conditions.<\/p>\n The CODESYS Control runtime manages real-time input\/output processing and network communications for automated systems.<\/p>\n The newly discovered vulnerabilities impact how the runtime handles file permissions and backup restorations.<\/p>\n CVE-2025-41658 (5.5, Medium):<\/strong> Incorrect default permissions allow local users to read CODESYS password hashes.<\/p>\n CVE-2025-41659 (8.3, High):<\/strong> Improper permissions allow low-privilege users to access sensitive cryptographic data.<\/p>\n CVE-2025-41660 (8.8, High):<\/strong> Flawed resource transfer allows restoration of a tampered boot application.<\/a><\/p>\n To execute this attack, a threat actor first needs valid Service-level credentials.<\/p>\n Standard security controls usually prevent this, but attackers can steal credentials via default passwords, a compromised engineering workstation, or by exploiting CVE-2025-41658 to extract hashes.<\/p>\n Once authenticated, the attack unfolds in several stages:<\/p>\n A compromised Soft PLC allows adversaries to alter actuator behavior, change safety setpoints, and override critical system interlocks.<\/p>\n This attack aligns with several MITRE ATT&CK for ICS techniques, including Manipulation of Control (T0831), Module Firmware modification (T0839), and Theft of Operational Information (T0882).<\/p>\n CODESYS Group has fully resolved these issues in CODESYS Control Runtime version 4.21.0.0 and Toolkit version 3.5.22.0.<\/p>\n According to Nozomi Networks<\/a>, to prevent further tampering, CODESYS has made code signing mandatory by default for all PLC code before it can be deployed or executed.<\/p>\n Administrators should apply these updates immediately, enforce strict network segmentation, and continuously monitor industrial network traffic for suspicious activity.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Attackers Can Backdoor CODESYS Applications by Chaining Vulnerabilities<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"CODESYS](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjSBtcaVo8XzCsnLJt3-zcyqQSdT9YMo1JUMsLECGtUVlta4dqVMMzmFWG0Im1sL1Xx8kGLnGhts-meXTb1NH2trjjg_xf1SowQwUHk4JcSGBRbEaXdWOfvOaySkrIWlTSedgaqCWWAvrrvRb7cW2TBQirZ3cB0SyLlufPU69kHelVjic7x4-uKo1IRBNU\/s1600\/Screenshot%25202026-04-27%2520104704%2520%25281%2529.webp?ssl=1\")
The Attack Chain Workflow<\/strong><\/h2>\n
![\"CODESYS](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgttEctwGVg8EJmeGnryUwR50zjm10Cyx970A0lFm4hdWDJ8AutlDRUaUxlxK16FxvsVZjCd0fQBhM4OyVc8KJY9pE_OkDuT8ezQC_Dnyw0JqA0zuJ9Vt8-sJyRXItY-b5vqklh0fVSMC6mcu1ArjiPTAyaKojsas7-rvZ_OlUj_eKBxUaUAduXwaeDWtI\/s1600\/Screenshot%25202026-04-27%2520104720%2520%25281%2529.webp?ssl=1\")
\n
![\"Detection](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEilVioYWB1kZSPmT69Y69NikKJTHAwPr1pVmF2fMxCRw0cNQ-0vOryyr1yqsoh0odiWo2YS-U9BKo88sXTI4OXfi8ZRHQA3CdB9sjtjsAb8gcQ7oC73bfqVjeoDouPPS1XDsl8zWg-_Ewh902IrZnpBVyn67N99ywdjQA3sAy1CwdROx6YNOzvyk9YU9cc\/s1600\/Screenshot%25202026-04-27%2520104732%2520%25281%2529.webp?ssl=1\")