Attackers Chain Flaws to Backdoor CODESYS Applications and Deploy Malicious Code

Nozomi Networks Labs has uncovered a critical set of vulnerabilities in the CODESYS Control runtime that could allow attackers to fully compromise industrial systems.

By chaining three newly discovered flaws, a low-privileged authenticated attacker can replace legitimate industrial control applications with malicious backdoored versions, ultimately gaining administrative control over both the device and its host operating system.

CODESYS is widely used across industrial environments as a manufacturer-independent development platform.

It enables standard computing devices to function as Soft Programmable Logic Controllers (Soft PLCs), which control critical processes in sectors such as energy, manufacturing, and infrastructure.

These systems manage physical operations like valve control, robotic automation, and sensor monitoring, making them a high-value target for threat actors.

The vulnerabilities identified by Nozomi researchers are now patched by CODESYS, including:

• CVE-2025-41658 (CVSS 5.5): Incorrect default permissions allow local users to access sensitive files and extract password hashes.
• CVE-2025-41659 (CVSS 8.3): Improper permission assignments expose critical cryptographic materials stored on the device.
• CVE-2025-41660 (CVSS 8.8): A resource transfer flaw allows attackers to upload and restore tampered project files.

The attack begins with the adversary obtaining Service-level credentials. This can be achieved through weak passwords, compromised engineering workstations, or by exploiting the first vulnerability to retrieve password hashes.

Once authenticated, the attacker downloads the PLC’s application as a backup file. This file is stored as a ZIP archive containing the application binary and a weak CRC32 checksum for integrity verification.

Using CVE-2025-41659, attackers can extract cryptographic keys to bypass protections such as code signing or encryption.

The attacker then modifies the binary by injecting malicious code, such as a reverse root shell, and recalculates the CRC32 checksum to make the file appear legitimate.

Exploiting CVE-2025-41660, the altered application is restored to the device.

Although Service-level users cannot directly restart the system, the malicious code executes once the PLC is rebooted, either during routine maintenance or operator action.

At that point, the backdoor runs with root privileges, granting full administrative access.

This attack chain poses serious risks to operational technology (OT) environments. According to MITRE ATT&CK for ICS, such access could allow attackers to manipulate industrial processes, alter sensor data, bypass safety controls, and potentially cause physical damage to equipment.

Following responsible disclosure, CODESYS released patches in Control Runtime version 4.21.0.0 and Runtime Toolkit version 3.5.22.0.

The company has also enforced mandatory code signing for PLC applications to prevent unauthorized modifications.

Security experts strongly urge organizations to apply patches immediately, enforce strict credential policies, segment OT networks, and continuously monitor for suspicious activity to mitigate potential exploitation.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Attackers Chain Flaws to Backdoor CODESYS Applications and Deploy Malicious Code appeared first on Cyber Security News.