Chaining Vulnerabilities to Achieve Root Access in CODESYS Soft PLCs
Recent research published by Nozomi Networks Labs has uncovered a sophisticated exploit chain targeting the CODESYS Control runtime. By leveraging three distinct security flaws, a threat actor with minimal, low-level authenticated access can execute a highly targeted attack: replacing legitimate industrial logic with a backdoored application.
The endgame of this exploit is severe. Once the malicious code is deployed, the attacker transitions from a restricted user to having full administrative control over both the PLC application and the underlying host operating system. This discovery serves as a stark reminder of the precarious security posture often found in contemporary Operational Technology (OT) environments and underscores the critical need for granular identity and access management.
The Architecture of CODESYS Soft PLCs
In the modern industrial landscape, CODESYS has become a cornerstone of automation. It provides a hardware-agnostic development environment that enables engineers to turn standard industrial PCs or even single-board computers into high-performance Soft Programmable Logic Controllers (Soft PLCs). This flexibility allows manufacturers to run complex automation logic on general-purpose hardware, significantly reducing the cost compared to proprietary, fixed-function hardware.

The operational workflow relies on a dual-component architecture: a Windows-based Integrated Development Environment (IDE) for logic programming and compilation, and the CODESYS Control runtime, which serves as the execution engine on the target field device. Because these Soft PLCs are tasked with regulating critical physical processes—such as chemical dosing, robotic motion, and energy distribution—any compromise of the runtime can lead to direct physical consequences.

The vulnerability chain identified by Nozomi researchers consists of three specific flaws that, when sequenced, bypass the traditional security boundaries of the device:
- CVE-2025-41658 (CVSS 5.5): A broken access control flaw in default permissions. It allows a local user to read sensitive files, which can be used to exfiltrate password hashes for offline cracking.
- CVE-2025-41659 (CVSS 8.3): A high-severity permission assignment error. This allows an attacker to access the device’s internal cryptographic material, effectively neutralizing data protection layers.
- CVE-2025-41660 (CVSS 8.8): A critical flaw in the resource transfer mechanism. This enables the unauthorized upload and restoration of manipulated project files back to the runtime.
Technical Breakdown: The Attack Chain
The attack begins with the acquisition of Service-level credentials. This is often achieved through the “path of least resistance,” such as exploiting weak or default passwords, compromising an engineering workstation via lateral movement, or using CVE-2025-41658 to harvest local hashes.
Once the attacker has established a foothold, they exploit the device’s standard backup functionality. They trigger a download of the current boot application. This backup is essentially a ZIP archive containing the compiled application binary and a CRC32 checksum—a relatively weak integrity check that is not cryptographically secure.
To bypass any existing code encryption or digital signatures, the attacker utilizes CVE-2025-41659 to extract the device’s own cryptographic keys. With these keys in hand, the attacker can modify the binary—for example, by injecting a reverse shell or malicious machine code—and simply recompute the CRC32 checksum so the file appears structurally valid.

The final stage involves CVE-2025-41660, which allows the attacker to push the tampered backup back to the PLC. Because a standard Service user lacks the permissions to trigger an immediate application restart, the attacker must remain patient, waiting for a scheduled maintenance reboot or an operator-initiated restart. Once the system reboots, the injected backdoor executes with root privileges, granting the attacker full administrative dominance over the environment.
Mapped against the MITRE ATT&CK for ICS framework, the impact is potentially catastrophic. A successful exploit allows for the manipulation of sensor data, the bypassing of safety-instrumented systems (SIS), and the direct control of physical actuators, which can lead to equipment destruction or environmental hazards.
Remediation and Defense-in-Depth
Following a coordinated responsible disclosure, the CODESYS Group has released critical updates. To mitigate these risks, users must upgrade to CODESYS Control Runtime version 4.21.0.0 or Runtime Toolkit version 3.5.22.0.
Beyond simple patching, the vendor has implemented a fundamental architectural change: code signing is now mandatory by default for all PLC code. This ensures that even if an attacker manages to manipulate a file, the device will refuse to execute it without a valid, trusted signature.
Recommended Security Posture:
- Immediate Patching: Prioritize updates for all Soft PLC deployments.
- Network Segmentation: Isolate OT assets from the IT network and the public internet using robust firewalls and DMZs.
- Credential Hygiene: Eliminate default passwords and implement strict, role-based access controls (RBAC).
- Continuous Monitoring: Deploy OT-specific monitoring solutions to detect anomalous traffic or unauthorized configuration changes in real-time.