Summary
The CODESYS Control runtime system provides a user management mechanism with multiple privilege groups including the visualization administrators group, which is intended solely to manage visualization users.
Due to insufficient authorization checks an authenticated remote user with low-privileged visualization administrator access can delete higher-privileged accounts. However, independent mechanisms protect the deletion of the last remaining device admin user, preventing a complete loss of administrative access to the device.
The CODESYS Control runtime system is only affected if the optional visualization user management feature is enabled and a visualization administrator account has been configured.
Impact
Successful exploitation of this vulnerability allows an authenticated, low-privileged remote visualization administrator to perform unauthorized deletion of user accounts within the device user management. This results in a persistent denial-of-service for legitimate users and may prevent logins of communciation clients.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| CODESYS Control RTE (SL) | vers:generic/<3.5.22.20 | |
| CODESYS Control RTE (for Beckhoff CX) SL | vers:generic/<3.5.22.20 | |
| CODESYS Control Win (SL) | vers:generic/<3.5.22.20 | |
| CODESYS Control for BeagleBone SL | vers:generic/<4.21.0.0 | |
| CODESYS Control for IOT2000 SL | vers:generic/<4.21.0.0 | |
| CODESYS Control for Linux ARM SL | vers:generic/<4.21.0.0 | |
| CODESYS Control for Linux SL | vers:generic/<4.21.0.0 | |
| CODESYS Control for PFC100 SL | vers:generic/<4.21.0.0 | |
| CODESYS Control for PFC200 SL | vers:generic/<4.21.0.0 | |
| CODESYS Control for PLCnext SL | vers:generic/<4.21.0.0 | |
| CODESYS Control for Raspberry Pi SL | vers:generic/<4.21.0.0 | |
| CODESYS Control for WAGO Touch Panels 600 SL | vers:generic/<4.21.0.0 | |
| CODESYS Control for emPC-A/iMX6 SL | vers:generic/<4.21.0.0 | |
| CODESYS HMI (SL) | vers:generic/<3.5.22.20 | |
| CODESYS Runtime Toolkit | vers:generic/<3.5.22.20 | |
| CODESYS Virtual Control SL | vers:generic/<4.21.0.0 |
Vulnerabilities
Expand / Collapse allThe affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges.
Remediation
Update the following products to version 3.5.22.20.
* CODESYS Control RTE (SL)
* CODESYS Control RTE (for Beckhoff CX) SL
* CODESYS Control Win (SL)
* CODESYS HMI (SL)
* CODESYS Runtime Toolkit
Update the following products to version 4.21.0.0. The release of this version is expected in June 2026.
* CODESYS Control for BeagleBone SL
* CODESYS Control for emPC-A/iMX6 SL
* CODESYS Control for IOT2000 SL
* CODESYS Control for Linux ARM SL
* CODESYS Control for Linux SL
* CODESYS Control for PFC100 SL
* CODESYS Control for PFC200 SL
* CODESYS Control for PLCnext SL
* CODESYS Control for Raspberry Pi SL
* CODESYS Control for WAGO Touch Panels 600 SL
* CODESYS Virtual Control SL
The CODESYS Development System and the products available as CODESYS add-ons can be downloaded
and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as
well as for all other products, you will find further information on obtaining the software update in the CODESYS
Update area https://www.codesys.com/download/.
Acknowledgments
CODESYS GmbH thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://www.certvde.com )
- ABB AG for reporting
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 05/26/2026 12:00 | Initial revision. |