Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-41738

CVE-2025-41738: Codesys Control Beaglebone DoS Vulnerability

CVE-2025-41738 is a denial-of-service flaw in Codesys Control For Beaglebone SL that allows unauthenticated attackers to crash the visualization server. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-41738 Overview

CVE-2025-41738 affects the visualisation server component of the CODESYS Control runtime system. An unauthenticated remote attacker can trigger access to a resource using a pointer of the wrong type, resulting in a denial-of-service (DoS) condition. The flaw is categorized as a type confusion weakness [CWE-843] and impacts a wide range of CODESYS runtime products deployed across industrial control system (ICS) environments.

Critical Impact

Remote unauthenticated attackers can crash CODESYS Control runtime instances, disrupting programmable logic controller (PLC) operations and operational technology (OT) availability.

Affected Products

  • CODESYS Control for BeagleBone SL, Linux SL, Linux ARM SL, Raspberry Pi SL, IOT2000 SL, eMPC-A/iMX6 SL
  • CODESYS Control for PFC100 SL, PFC200 SL, PLCnext SL, WAGO Touch Panels 600 SL
  • CODESYS Control RTE SL, Control RTE SL (for Beckhoff CX), Control Win SL, Virtual Control SL, HMI SL, Remote Target Visu, Runtime Toolkit

Discovery Timeline

  • 2025-12-01 - CVE CVE-2025-41738 published to NVD
  • 2026-02-23 - Last updated in NVD database

Technical Details for CVE-2025-41738

Vulnerability Analysis

The vulnerability resides in the visualisation server of the CODESYS Control runtime system. The server is reachable over the network and processes requests from visualisation clients such as CODESYS HMI and Remote Target Visu. During request handling, the server accesses a resource through a pointer whose type does not match the actual underlying object. This type confusion [CWE-843] leads to invalid memory access and an unrecoverable runtime fault.

Because the visualisation server typically listens on a TCP port exposed to the engineering network, an attacker who reaches the runtime can trigger the fault without credentials. The result is a denial-of-service condition that halts the runtime and any control logic it executes. Confidentiality and integrity are not directly affected, but loss of availability in an ICS context can interrupt physical processes.

Root Cause

The root cause is improper validation of object types when the visualisation server dereferences pointers tied to client requests. The runtime treats a memory region as one type while it represents another, violating type safety assumptions. This mismatch causes the runtime process to access invalid fields or invoke incorrect handlers, resulting in a crash.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted traffic to the visualisation server port of a vulnerable CODESYS Control runtime. Successful exploitation terminates the runtime, stopping PLC scan cycles and visualisation services until manual restart. The vulnerability cannot currently be linked to a public proof-of-concept, and it is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified exploit code is publicly available. See the CERT-VDE Advisory VDE-2025-100 for vendor technical details.

Detection Methods for CVE-2025-41738

Indicators of Compromise

  • Unexpected termination or repeated restarts of the CODESYS Control runtime process on affected devices.
  • Loss of visualisation client connectivity coinciding with anomalous inbound traffic to the visualisation server port.
  • Runtime logs indicating access violations, segmentation faults, or pointer-related exceptions in the visualisation module.

Detection Strategies

  • Monitor the CODESYS visualisation server TCP port for malformed or unusually structured client requests from non-engineering hosts.
  • Correlate PLC runtime crash events with network telemetry to identify external sources triggering the fault.
  • Deploy intrusion detection signatures aligned to CERT-VDE advisory VDE-2025-100 once vendor indicators become available.

Monitoring Recommendations

  • Continuously log CODESYS runtime process state and watchdog events into a centralized SIEM for availability tracking.
  • Capture network flow data between IT and OT zones to detect unauthorized hosts contacting visualisation services.
  • Alert on repeated TCP resets or connection failures to visualisation ports, which may indicate exploitation attempts.

How to Mitigate CVE-2025-41738

Immediate Actions Required

  • Inventory all CODESYS Control runtime instances and identify versions matching the affected product list.
  • Restrict network access to the CODESYS visualisation server port using firewall rules and OT network segmentation.
  • Apply the fixed runtime versions referenced in CERT-VDE advisory VDE-2025-100 as soon as they are validated for the target environment.

Patch Information

CODESYS has published remediation guidance through CERT-VDE. Refer to the CERT-VDE Advisory VDE-2025-100 for the list of fixed versions across each affected CODESYS Control product. Update all runtime images, virtual controllers, and HMI components to the patched releases provided by CODESYS.

Workarounds

  • Disable the visualisation server on runtimes where it is not required for operations.
  • Place CODESYS controllers behind a firewall that only permits visualisation traffic from explicitly trusted HMI hosts.
  • Enforce strict OT network segmentation to ensure the runtime is not reachable from corporate or external networks.
bash
# Configuration example: restrict CODESYS visualisation port access with iptables
iptables -A INPUT -p tcp --dport 11740 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 11740 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne