CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 0CVE-2025-41691 – CODESYS Control DoS via Unauthenticated NULL Pointer Dereference
https://notcve.org/view.php?id=CVE-2025-41691
04 Aug 2025 — An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition. Un atacante remoto no autenticado puede provocar una desreferencia de puntero NULL en los sistemas de ejecución de CODESYS Control afectados mediante el envío de solicitudes de comunicación especialmente manipuladas, lo que podría conducir a una condición de denegación de serv... • https://certvde.com/de/advisories/VDE-2025-070 • CWE-476: NULL Pointer Dereference •
CVSS: 8.7EPSS: 0%CPEs: 16EXPL: 0CVE-2025-41659 – CODESYS Control PKI Exposure Enables Remote Certificate Access
https://notcve.org/view.php?id=CVE-2025-41659
04 Aug 2025 — A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted. Un atacante con pocos privilegios puede acceder remotamente a la carpeta PKI del sistema de ejecución de CODESYS Control y, por lo tanto, leer y escribir certificado... • https://certvde.com/de/advisories/VDE-2025-051 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2025-41658 – CODESYS Toolkit Exposes Sensitive Files via Default Permissions
https://notcve.org/view.php?id=CVE-2025-41658
04 Aug 2025 — CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions. Los productos basados en CODESYS Runtime Toolkit pueden exponer archivos confidenciales a usuarios del sistema operativo local con pocos privilegios debido a los permisos de archivo predeterminados. • https://certvde.com/de/advisories/VDE-2025-049 • CWE-276: Incorrect Default Permissions •
CVSS: 6.6EPSS: 0%CPEs: 15EXPL: 0CVE-2025-0694 – CODESYS Control V3 removable media path traversal
https://notcve.org/view.php?id=CVE-2025-0694
18 Mar 2025 — Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access. • https://cert.vde.com/en/advisories/VDE-2025-015 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2024-8175 – CODESYS: web server vulnerable to DoS
https://notcve.org/view.php?id=CVE-2024-8175
25 Sep 2024 — An unauthenticated remote attacker can causes the CODESYS web server to access invalid memory which results in a DoS. Un atacante remoto no autenticado puede provocar que el servidor web CODESYS acceda a una memoria no válida, lo que resulta en un DoS. An unauthenticated remote attacker can causes the CODESYS web server to access invalid memory which results in a DoS. • https://cert.vde.com/en/advisories/VDE-2024-057 • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2024-5000 – CODESYS: Incorrect calculation of buffer size can cause DoS on CODESYS OPC UA products
https://notcve.org/view.php?id=CVE-2024-5000
04 Jun 2024 — An unauthenticated remote attacker can use a malicious OPC UA client to send a crafted request to affected CODESYS products which can cause a DoS due to incorrect calculation of buffer size. Un atacante remoto no autenticado puede utilizar un cliente OPC UA malicioso para enviar una solicitud manipulada a los productos CODESYS afectados, lo que puede provocar un DoS debido a un cálculo incorrecto del tamaño del búfer. An unauthenticated remote attacker can use a malicious OPC UA client to send a crafted req... • https://cert.vde.com/en/advisories/VDE-2024-026 • CWE-131: Incorrect Calculation of Buffer Size •
CVSS: 9.0EPSS: 0%CPEs: 11EXPL: 0CVE-2023-6357 – OS Command Injection in multiple CODESYS products
https://notcve.org/view.php?id=CVE-2023-6357
05 Dec 2023 — A low-privileged remote attacker could exploit the vulnerability and inject additional system commands via file system libraries which could give the attacker full control of the device. Un atacante remoto con pocos privilegios podría aprovechar la vulnerabilidad e inyectar comandos adicionales del sistema a través de librerías del sistema de archivos que podrían darle al atacante el control total del dispositivo. • https://cert.vde.com/en/advisories/VDE-2023-066 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 1%CPEs: 14EXPL: 0CVE-2022-4046 – CODESYS: Improper memory restrictions fro CODESYS Control
https://notcve.org/view.php?id=CVE-2022-4046
03 Aug 2023 — In CODESYS Control in multiple versions a improper restriction of operations within the bounds of a memory buffer allow an remote attacker with user privileges to gain full access of the device. • https://cert.vde.com/en/advisories/VDE-2023-025 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.8EPSS: 0%CPEs: 16EXPL: 0CVE-2023-37559 – CODESYS Improper Validation of Consistency within Input in multiple products
https://notcve.org/view.php?id=CVE-2023-37559
03 Aug 2023 — After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37558 Después de una autenticación exitosa como usuario en múltiples productos Codesys en múltiples versiones, solicitudes de comunicación de red específicas diseñadas... • https://cert.vde.com/en/advisories/VDE-2023-019 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 16EXPL: 0CVE-2023-37558 – CODESYS Improper Validation of Consistency within Input in multiple products
https://notcve.org/view.php?id=CVE-2023-37558
03 Aug 2023 — After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37559 Después de una autenticación exitosa como usuario en múltiples productos Codesys en múltiples versiones, solicitudes de comunicación de red específicas diseñadas... • https://cert.vde.com/en/advisories/VDE-2023-019 • CWE-20: Improper Input Validation •