Listen to this Post

Introduction
Industrial control systems are the hidden engines behind modern society. They regulate factories, power grids, water facilities, transportation systems, and countless automated processes. When vulnerabilities emerge inside these environments, the consequences can move beyond data theft and into real-world disruption. A newly disclosed set of security flaws in the CODESYS Control runtime has raised serious concern after researchers revealed that attackers could use them to fully compromise industrial devices and silently replace legitimate automation logic with malicious code.
Vulnerabilities Expose Core Industrial Infrastructure
Researchers from Nozomi Networks Labs uncovered three major vulnerabilities affecting the CODESYS Control runtime, a widely used platform in industrial environments. CODESYS allows standard computing systems to operate as Soft Programmable Logic Controllers, commonly known as Soft PLCs. These controllers handle sensitive physical operations such as robotic movement, pressure systems, sensor inputs, valve control, and production line automation.
Because CODESYS is manufacturer-independent and broadly adopted across multiple industries, any weakness inside the platform can have a wide operational impact.
The discovered flaws include:
CVE-2025-41658
This issue carries a CVSS score of 5.5. Incorrect default permissions allow local users to access sensitive files and potentially retrieve password hashes.
CVE-2025-41659
Rated 8.3, this vulnerability exposes critical cryptographic materials stored on the affected device. That means attackers may gain access to keys used for trust and protection mechanisms.
CVE-2025-41660
With a severity score of 8.8, this flaw involves insecure resource transfer behavior. It allows attackers to upload and restore manipulated project files onto the target system.
How the Attack Works
The attack chain begins when a threat actor gains Service-level credentials. This could happen through weak passwords, phishing, compromised engineering workstations, or by extracting password hashes through the first vulnerability.
Once authenticated, the attacker downloads the PLC application backup. This backup is stored as a ZIP archive containing the application binary and a CRC32 checksum used for integrity verification.
Researchers noted that CRC32 is weak for modern security needs and can be recalculated after modifications.
Using the second vulnerability, attackers can retrieve cryptographic keys and bypass security protections such as signing or encryption.
They then modify the application binary and inject malicious payloads. One example described was a reverse root shell, which would give remote command access once activated.
After recalculating the checksum, the manipulated file appears valid.
Using the third vulnerability, the attacker restores the tampered application back to the industrial device.
Although Service-level accounts cannot immediately reboot the controller, the malicious code activates when the PLC is restarted during scheduled maintenance, operator action, or any routine reboot event.
At that moment, the payload executes with root privileges, giving full administrative control over both the controller and the host operating system.
Why This Is Dangerous
This type of compromise is especially severe in operational technology environments. Unlike standard IT networks, industrial systems interact directly with physical machinery.
An attacker with this level of access could:
Manipulate Processes
They may alter valve timing, robotic behavior, conveyor logic, or production sequencing.
Falsify Sensor Data
Operators may see normal readings while dangerous conditions develop in the background.
Disable Safety Controls
Emergency shutdown systems or protective logic could be bypassed.
Damage Equipment
Incorrect commands can overheat machinery, overload motors, or destroy sensitive components.
Cause Downtime
Production interruptions in manufacturing or utilities can lead to significant financial losses.
Vendor Response
Following responsible disclosure, CODESYS released security patches to address the issues.
Affected organizations are advised to update to:
Control Runtime version 4.21.0.0
Runtime Toolkit version 3.5.22.0
The company also introduced mandatory code signing for PLC applications. This makes unauthorized project modification significantly more difficult.
What Undercode Say:
This incident highlights a long-standing challenge in industrial cybersecurity: many OT systems were designed for reliability and uptime first, security second. For years, industrial platforms trusted internal networks and privileged users far more than modern threat models allow.
The fact that Service-level credentials were enough to begin the compromise is important. In real-world attacks, adversaries often target lower-level accounts first because they are easier to steal and may attract less attention than administrator accounts.
Another major issue is weak integrity verification. CRC32 is useful for detecting accidental corruption, but it is not a true security control. Using it against determined attackers creates a false sense of protection.
The theft of cryptographic materials is equally alarming. Once keys are exposed, security features built on those keys can collapse. This is why hardware-backed key storage and least-privilege access controls are becoming essential in industrial devices.
The delayed activation model of the malware is also smart from an attacker’s perspective. Instead of triggering instantly and raising alarms, the malicious code waits for a reboot. In industrial environments where systems may run continuously for long periods, this can help attackers remain unnoticed until the right moment.
This case also shows how cyberattacks against factories or infrastructure no longer require exotic zero-day espionage campaigns. Sometimes a chain of practical weaknesses, combined intelligently, can achieve devastating access.
Organizations should not treat patching as optional in OT anymore. While uptime concerns are real, unpatched controllers can become the bigger business risk.
Security teams should also improve segmentation between IT and OT networks, monitor engineering workstations, audit privilege usage, and maintain backups of known-good PLC logic.
As industrial systems continue connecting to cloud analytics, remote maintenance platforms, and enterprise systems, attack surfaces will keep expanding. Vendors that adopt secure-by-design principles now will be better positioned than those relying on legacy trust assumptions.
Fact Checker Results
✅ Nozomi Networks Labs publicly disclosed three CODESYS-related vulnerabilities.
✅ Researchers described an attack chain leading to root-level compromise after reboot.
✅ Vendor patches and stronger code-signing protections were issued in response.
Prediction
⚠️ More researchers will begin auditing PLC runtimes and engineering software after this disclosure.
⚠️ Industrial operators will face increasing pressure to patch legacy OT systems faster.
⚠️ Future attacks may focus on software supply chains and trusted automation logic instead of direct sabotage.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




