Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-41691

CVE-2025-41691: CODESYS Control Runtime DoS Vulnerability

CVE-2025-41691 is a denial-of-service flaw in CODESYS Control runtime systems that allows unauthenticated attackers to trigger NULL pointer dereference. This post covers technical details, affected systems, and mitigation.

Published:

CVE-2025-41691 Overview

CVE-2025-41691 is a NULL pointer dereference vulnerability affecting CODESYS Control runtime systems. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted communication requests to the affected systems, potentially causing a denial-of-service (DoS) condition. This vulnerability is classified under CWE-476 (NULL Pointer Dereference).

Critical Impact

Unauthenticated remote attackers can crash CODESYS Control runtime systems through network-accessible attacks, disrupting industrial control operations without requiring any user interaction or authentication.

Affected Products

Discovery Timeline

  • 2025-08-04 - CVE-2025-41691 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-41691

Vulnerability Analysis

This vulnerability stems from improper handling of incoming communication requests within CODESYS Control runtime systems. When the runtime receives a malformed or specially crafted network request, the code fails to properly validate or check for NULL values before dereferencing a pointer. This results in a NULL pointer dereference condition that causes the runtime to crash.

CODESYS Control is widely deployed in industrial control system (ICS) and operational technology (OT) environments, making this vulnerability particularly concerning for critical infrastructure. The attack can be executed remotely over the network without requiring authentication, and no user interaction is needed for successful exploitation.

Root Cause

The root cause is a NULL pointer dereference (CWE-476) in the communication handling code of CODESYS Control runtime systems. The vulnerability occurs when the software attempts to access memory through a pointer that has not been properly initialized or validated, leading to an application crash when the pointer value is NULL.

Attack Vector

The attack is network-based, allowing remote exploitation. An attacker can send specially crafted communication requests to the CODESYS Control runtime over the network. The malformed requests trigger the NULL pointer dereference condition, causing the runtime system to crash and resulting in a denial-of-service condition.

The vulnerability manifests in the communication request handling routines of the CODESYS Control runtime. For detailed technical information, refer to the CERT@VDE Advisory VDE-2025-070.

Detection Methods for CVE-2025-41691

Indicators of Compromise

  • Unexpected crashes or restarts of CODESYS Control runtime services
  • Anomalous network traffic patterns targeting CODESYS communication ports
  • Error logs indicating NULL pointer dereference or segmentation fault conditions
  • Multiple connection attempts from unknown or suspicious IP addresses

Detection Strategies

  • Implement network intrusion detection systems (IDS) to monitor for malformed CODESYS communication packets
  • Configure logging on CODESYS Control systems to capture connection attempts and application errors
  • Deploy anomaly detection to identify unusual patterns in communication request frequency or structure
  • Monitor system stability and track unexpected runtime crashes or service interruptions

Monitoring Recommendations

  • Enable verbose logging on CODESYS Control runtime systems to capture detailed error information
  • Establish baseline network communication patterns for CODESYS systems and alert on deviations
  • Implement real-time monitoring of CODESYS service availability and health status
  • Correlate logs from network devices and CODESYS systems to identify potential attack attempts

How to Mitigate CVE-2025-41691

Immediate Actions Required

  • Consult the CERT@VDE Advisory VDE-2025-070 for vendor-specific patch information
  • Restrict network access to CODESYS Control systems using firewalls and network segmentation
  • Implement strict access control lists (ACLs) to limit which hosts can communicate with CODESYS runtime systems
  • Monitor CODESYS Control systems for signs of exploitation or unexpected behavior

Patch Information

Refer to the official CERT@VDE Advisory VDE-2025-070 for detailed patch information and remediation guidance from CODESYS. Organizations should contact their CODESYS vendor representative for specific update instructions applicable to their deployed versions.

Workarounds

  • Isolate CODESYS Control systems on dedicated network segments with strict ingress filtering
  • Deploy network-level protections such as firewalls and intrusion prevention systems (IPS) in front of CODESYS systems
  • Implement allowlist-based network access controls to permit only authorized communication sources
  • Consider deploying application-level proxies or gateways that can validate CODESYS communication requests before forwarding
bash
# Example firewall rule to restrict CODESYS access (adjust port and IP ranges as needed)
# Allow only trusted management subnet to access CODESYS runtime
iptables -A INPUT -p tcp --dport 2455 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 2455 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne