New research from Nozomi Networks Labs reveals that attackers can chain multiple vulnerabilities in the widely used CODESYS Control runtime to backdoor industrial control applications and gain full control of affected devices. The flaws allow an authenticated attacker with limited Service-level privileges to extract cryptographic material, bypass optional protections such as code signing and encryption, and replace legitimate control logic with a malicious version that executes with root privileges upon restart. As CODESYS-based PLCs are embedded across critical sectors, including manufacturing, energy, and water systems, exploitation could enable manipulation of physical processes, disruption of operations, or unsafe conditions in industrial environments.
“This research targeted the CODESYS Control runtime, specifically the CODESYS Control for Raspberry Pi SL variant. This version runs on low-cost ARM hardware and provides the full CODESYS Control feature set, making it an accessible and representative target for security analysis,” researchers from Nozomi Networks Labs wrote in a recent blog post. “CODESYS Control for Raspberry Pi SL is a commercial product, but CODESYS offers an evaluation mode that allows unrestricted use for two hours per session. After that window, the runtime stops and must be restarted. Aside from this time limit, the evaluation mode imposes no functional restrictions, meaning every code path and network service is available for testing.”
They added that, “Although our testing was conducted on the Raspberry Pi variant, all the vulnerabilities we discovered affect a much broader set of CODESYS Control runtimes.”
CODESYS-powered PLCs are deployed in a wide range of industrial environments: from manufacturing lines and energy systems to water treatment plants and building automation. In each case, the PLC executes a control application that governs physical processes, adjusting valve positions, regulating motor speeds, or sequencing robotic operations. A compromised control application can therefore cause real-world damage, from halted production to unsafe operating conditions.
The attack requires the attacker to hold valid Service-level credentials for the CODESYS runtime. Standard operational controls should normally prevent unauthorized access, but an attacker can obtain such credentials in several ways: by exploiting weak or default passwords, compromising an engineering workstation where credentials are stored, or, if they already have local access to the Soft PLC, leveraging CVE-2025-41658 to read the file containing CODESYS password hashes.
In other words, the core attack path is an authenticated abuse of overly broad Service privileges. Local operating-system access is not required to tamper with and restore a project once the attacker has those credentials, but it can be one way to obtain them.
The researchers detail that once authenticated as a Service user, an attacker can follow a structured chain to compromise the device. The process begins by downloading the boot application using the CODESYS Development System’s backup functionality. The attacker then exploits CVE-2025-41659 to access cryptographic material stored on the Soft PLC, including retrieving sensitive keys and, where applicable, uploading attacker-controlled certificate authority material.
With this access, optional protections such as code encryption and signing can be bypassed, allowing the attacker to decrypt, modify, and re-encrypt the boot application, and re-sign it if required. The attacker then tampers with the compiled binary to inject malicious machine code and uses CVE-2025-41660 to restore the altered application to the device, overwriting the legitimate version through the same backup mechanism.
As a Service user cannot directly restart the application, the attacker must wait for a system reboot or operator action. Once restarted, the injected code executes with root privileges, matching the level of the CODESYS Control runtime. From there, the attacker can escalate further by modifying the runtime’s user database to grant Administrator access, achieving full control of the device.
The vulnerabilities identified in CODESYS Control runtimes align with several techniques in the MITRE ATT&CK for ICS framework, highlighting how they can be leveraged in real-world industrial attack scenarios.
Under technique T0839, Module Firmware, the combination of CVE-2025-41659 and CVE-2025-41660 allows an adversary with low-privilege access to replace a legitimate control application with a backdoored version. Access to cryptographic material further enables the attacker to bypass optional protections such as encryption and code signing, allowing the modified application to appear legitimate within the deployment process.
In the context of T0831, Manipulation of Control, once malicious code is embedded into the control application, an attacker can directly interfere with the physical processes managed by the PLC. This may involve altering setpoints, overriding safety mechanisms, modifying actuator behavior, or falsifying sensor data. Such actions can lead to unsafe or damaging outcomes in systems such as conveyors, pumps, robotic arms, and HVAC infrastructure.
For T0882, Theft of Operational Information, CVE-2025-41659 enables a low-privilege user to access sensitive cryptographic material stored on the device, which can be used to extract control logic, configuration data, credentials, and operational parameters. This access also weakens trust mechanisms designed to protect deployed applications. In addition, CVE-2025-41658 exposes a file containing CODESYS password hashes to any local user on the Soft PLC, enabling offline credential extraction. Together, these exposures can reveal critical details about the control environment and facilitate further compromise.
The researchers outlined how an attacker with Service-level access can progress from legitimate backup and project-handling features to full device compromise. It examines how the CODESYS runtime protects its code, how applications are deployed and stored, and why these mechanisms still allow tampering in practice.
While certain low-level details are intentionally omitted due to remediation, the research highlights key security implications, including the fact that IEC 61131-3 programs are compiled into executable machine code and run directly by the CODESYS runtime. This means any deployed application effectively executes with root privileges, making the integrity of the deployment process critical.
The research also highlights how privilege design contributes to the risk. CODESYS defines four user levels of Administrator, Developer, Service, and Watch, each with varying access rights. Although administrators control permissions, Service users retain write access to application directories to support backup and restore operations. This access creates a critical gap, as it allows Service-level users to download, modify, and re-upload application files. The backup functionality, intended for maintenance, becomes a key enabler for exploitation, providing a pathway to tamper with control logic and ultimately compromise the device.
Nozomi identified that CODESYS backup files, stored as .tbf archives, are essentially zip files containing the application binary and a simple CRC checksum, which can be easily modified and recomputed. This design allows a Service-level user to download a backup, alter the application by injecting malicious code, recompute the checksum, and restore the tampered file to the device.
As applications run with root privileges, the injected code executes at the highest level once the system is restarted, enabling full compromise and privilege escalation to Administrator. Even optional protections such as encryption and signing can be bypassed using exposed cryptographic material. While this attack chain has now been mitigated through patches and mandatory code signing, the findings highlight how backup and restore functionality can be abused to achieve persistent and stealthy control over industrial devices.
CODESYS has addressed these vulnerabilities through security patches for the CODESYS Development System and the CODESYS Control runtimes. Asset owners and operators are strongly advised to update affected Soft PLCs to the latest runtime version, implement network segmentation to reduce exposure, and monitor network traffic to identify vulnerable assets.
