CVE-2025-41659

CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

8.3HIGH

EPSS

0.0%

top 86.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Codesys Control FOR Beaglebone SL Codesys Control FOR Empc-a/imx6 SL Codesys Control FOR Iot2000 SL +13 more

Timeline

PublishedAug 4

Description

A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:LExploitability: 2.8 | Impact: 5.5

Affected Packages16 packages

▶CVEListV5codesys/runtime_toolkit0.0.0.0 — 3.5.21.20

▶CVEListV5codesys/control_rte_(sl)0.0.0.0 — 3.5.21.20

▶CVEListV5codesys/control_win_(sl)0.0.0.0 — 3.5.21.20

▶CVEListV5codesys/virtual_control_sl0.0.0.0 — 4.17.0.0

▶CVEListV5codesys/control_for_linux_sl0.0.0.0 — 4.17.0.0

🔴Vulnerability Details

CVEList

CODESYS Control PKI Exposure Enables Remote Certificate Access↗2025-08-04

▶

GHSA

GHSA-x97q-fjxx-pvxm: A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys↗2025-08-04

▶