A high-severity vulnerability has been discovered in multiple products from Vendor A, which could allow a remote attacker with low privileges to steal or modify critical security certificates. Successful exploitation could lead to system impersonation, interception of sensitive operational communications, and a complete loss of trust in the affected industrial control systems. Organizations are urged to apply vendor patches immediately to mitigate this critical risk.

The vulnerability exists due to an improper access control mechanism on the CODESYS Control runtime system. A remote attacker who has obtained low-privileged credentials can directly access the file system directory where Public Key Infrastructure (PKI) assets are stored. By exploiting this flaw, the attacker can read existing private keys and certificates, and also write or overwrite files in this directory. This allows the attacker to steal cryptographic keys, enabling them to decrypt traffic or impersonate the device, and to install malicious certificates, which could lead to man-in-the-middle (MitM) attacks or a denial of service.

This vulnerability is rated as High severity with a CVSS score of 8.3. Exploitation could lead to severe business impacts, including the complete compromise of secure communications with the affected industrial control systems. An attacker could intercept and decrypt sensitive operational data, inject malicious commands by impersonating legitimate devices, or cause widespread operational disruption through denial-of-service attacks. This breach of trust in the system's cryptographic foundation poses a significant risk to operational technology (OT) safety, security, and availability, potentially leading to production halts, financial loss, and reputational damage.

Immediate Action: Organizations must prioritize the deployment of the security updates provided by Vendor A across all affected systems. Due to the high severity, these patches should be applied immediately following established change control procedures. After patching, review system access logs for any unauthorized access to the PKI folder that may have occurred prior to remediation.

Proactive Monitoring: Security teams should configure enhanced logging and monitoring focused on the CODESYS Control runtime environment. Specifically, monitor for any file access attempts (read, write, delete) to the system's PKI directory from unexpected user accounts or IP addresses. Network monitoring should be configured to alert on unusual traffic patterns to the affected devices and to flag any anomalies related to TLS/SSL certificate exchanges, such as the presentation of new or untrusted certificates.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk of exploitation. Enforce strict network segmentation to isolate affected control systems from corporate and other non-essential networks. Implement firewall rules and access control lists (ACLs) to restrict all remote access to the devices to a limited set of authorized administrative hosts. Additionally, conduct a thorough review of all user accounts, ensuring the principle of least privilege is strictly enforced to limit the number of accounts that could potentially trigger the vulnerability.

Public Exploit Available: false

This vulnerability represents a critical risk to the security and availability of affected operational technology environments. With a CVSS score of 8.3, it should be treated with the highest priority. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high impact means organizations cannot afford to wait for active exploitation to be observed. We strongly recommend applying the vendor-supplied security updates immediately. Where patching must be delayed, the compensating controls outlined above should be implemented without delay to mitigate the immediate threat.