Home / Vulnerability Intelligence / CVE-2025-41660

CVE-2025-41660 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 24, 2026

CODESYS Control - Authentication Bypass

Published: March 24, 2026Updated: March 24, 2026Remote Exploitable

Overview

CODESYS Control runtime system contains a code execution vulnerability caused by insufficient protection of the boot application, letting low-privileged remote attackers execute unauthorized code.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 20.8%(Probability of exploitation in next 30 days)

Impact

Low-privileged remote attackers can execute unauthorized code, potentially compromising the entire system.

Mitigation

Update to the latest version of CODESYS Control runtime system.

References

https://certvde.com/de/advisories/VDE-2026-011

Social Media Activity(1 post)

CERT@VDE

@certvde

Mar 24, 2026

#OT #Advisory VDE-2026-011 CODESYS Control V3 - Untrusted boot application The CODESYS Control runtime system provides a user management mechanism with multiple privilege groups. While only the privileged Administrators and Developer groups are intended to load or debug applications on the controller, users in the restricted Service group are allowed to perform maintenance operations, including explicitly replacing the boot application. #CVE CVE-2025-41660 https://certvde.com/en/advisories/vde-2026-011/ #CSAF https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-02_vde-2026-011.json

View original post

Related Resources

Details

CVE ID: CVE-2025-41660
Severity: High
CVSS Score: 8.8
Type: undefined
Status: unconfirmed
EPSS: 20.8%
Social Posts: 1

CWE

CWE-669

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

20.8%Probability of exploitation in the next 30 days