Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-3509

CVE-2026-3509: CODESYS Control DoS Vulnerability

CVE-2026-3509 is a denial-of-service flaw in CODESYS Control runtime system that allows unauthenticated attackers to exploit format string vulnerabilities. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-3509 Overview

CVE-2026-3509 is a format string vulnerability [CWE-134] in the Audit Log component of the CODESYS Control runtime system. An unauthenticated remote attacker can control the format string of messages processed by the Audit Log, resulting in a denial-of-service (DoS) condition. CODESYS Control is widely deployed across industrial automation environments, where it executes IEC 61131-3 programs on programmable logic controllers (PLCs) and industrial PCs. A successful attack disrupts runtime availability without requiring authentication or user interaction.

Critical Impact

An unauthenticated network-based attacker can crash the CODESYS Control runtime, interrupting industrial control processes that depend on it.

Affected Products

  • CODESYS Control runtime system (see CERTVDE Advisory VDE-2026-018 for the full list of affected products and versions)
  • Industrial automation devices embedding the CODESYS Control runtime
  • PLCs and industrial PCs running affected CODESYS Control variants

Discovery Timeline

  • 2026-03-24 - CVE CVE-2026-3509 published to NVD
  • 2026-03-24 - Last updated in NVD database

Technical Details for CVE-2026-3509

Vulnerability Analysis

The flaw is a classic format string vulnerability classified under [CWE-134]: Use of Externally-Controlled Format String. Attacker-supplied input reaches a logging routine in the Audit Log that interprets the data as a format specifier rather than a literal string. When format conversion directives such as %s, %x, or %n are processed against unintended memory, the runtime reads from or writes to invalid addresses. This triggers an exception that terminates the CODESYS Control process, producing a denial-of-service condition. The vulnerability impacts availability only, with no reported impact to confidentiality or integrity. The EPSS score at publication is 0.116%, reflecting a low predicted exploitation probability, though industrial exposure raises operational risk.

Root Cause

The Audit Log routine passes externally controlled message content directly to a format-aware printing function instead of using a fixed format specifier. Standard secure logging practice requires passing untrusted input as an argument, for example log("%s", user_input), rather than log(user_input). The absence of input sanitization in the audit message handler allows attacker-supplied conversion specifiers to be interpreted by the runtime.

Attack Vector

Exploitation occurs over the network against the CODESYS Control runtime's exposed services. The attacker submits crafted messages containing format specifiers that are recorded by the Audit Log. No credentials, prior access, or user interaction are required. Because many CODESYS Control deployments expose the runtime to operational technology (OT) networks, an attacker with network reach to the device can repeatedly crash the runtime, halting automation logic until service restoration. Refer to the CERTVDE Advisory VDE-2026-018 for protocol-level details.

Detection Methods for CVE-2026-3509

Indicators of Compromise

  • Unexpected restarts or crashes of the CODESYS Control runtime process on PLCs or industrial PCs
  • Audit Log entries containing format conversion tokens such as %s, %x, %n, or %p in unexpected fields
  • Loss of communication with controllers immediately after inbound connections from unknown hosts

Detection Strategies

  • Inspect network traffic to CODESYS Control services for messages containing printf-style format specifiers in user-controlled fields
  • Correlate runtime crash events with preceding network connections to identify potential exploit attempts
  • Baseline Audit Log content and alert on entries that contain non-printable or format-specifier characters

Monitoring Recommendations

  • Forward CODESYS Control Audit Log events and runtime health telemetry to a centralized SIEM for correlation
  • Monitor OT network segments for unauthorized sources contacting CODESYS Control listening ports
  • Track runtime uptime metrics and alert on repeated unplanned restarts across the controller fleet

How to Mitigate CVE-2026-3509

Immediate Actions Required

  • Apply the vendor-supplied update referenced in CERTVDE Advisory VDE-2026-018 once available for affected products
  • Restrict network access to CODESYS Control runtime services to trusted engineering workstations only
  • Place affected controllers behind firewalls and segment OT networks from corporate and internet-facing zones

Patch Information

Refer to CERTVDE Advisory VDE-2026-018 for the authoritative list of fixed versions and remediation guidance from CODESYS. Apply the patched runtime release that corresponds to each affected product variant in the environment.

Workarounds

  • Disable or limit the Audit Log feature where supported by the product configuration until a patch is applied
  • Enforce strict firewall rules permitting CODESYS Control traffic only from authorized engineering hosts
  • Deploy a VPN or jump-host architecture so that remote engineering access cannot reach the runtime directly
bash
# Example firewall rule restricting CODESYS Control runtime access
# Allow only the engineering workstation subnet to reach the runtime port
iptables -A INPUT -p tcp --dport 11740 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 11740 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne