Codesys Development System vulnerabilities

CVE-2025-41700 [HIGH] CWE-502 CVE-2025-41700: An unauthenticated attacker can trick a local user into executing arbitrary code by opening a delibe An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.

CVE-2023-3662 [HIGH] CWE-427 CVE-2023-3662: In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows f In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users context .

CVE-2023-3663 [HIGH] CWE-940 CVE-2023-3663: In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server.

CVE-2023-3669 [LOW] CWE-307 CVE-2023-3669: A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local att A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local attacker to have unlimited attempts of guessing the password within an import dialog.

CVE-2023-3670 [HIGH] CWE-668 CVE-2023-3670: In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe di In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users.

CVE-2022-31805 [HIGH] CWE-523 CVE-2022-31805: In the CODESYS Development System multiple components in multiple versions transmit the passwords fo In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.