A high-severity vulnerability has been identified in multiple CODESYS Control runtime systems, designated as CVE-2025-41691. An unauthenticated attacker can remotely exploit this flaw by sending a specially crafted network request, causing the control system to crash and resulting in a denial-of-service (DoS). This can lead to an immediate shutdown of industrial processes, posing a significant risk to operational continuity.

This vulnerability is a NULL pointer dereference that exists within the communication handling component of the CODESYS Control runtime system. An unauthenticated attacker with network access to an affected device can send a specially crafted communication packet. The system fails to properly validate this packet before processing it, leading to an attempt to access a memory location via a null pointer, which causes the runtime process to crash immediately and results in a denial-of-service condition.

This vulnerability is rated as High severity with a CVSS score of 7.5. The primary business impact is the potential for significant operational disruption. Successful exploitation will cause the industrial controller to stop, leading to production downtime, financial losses, and potential spoilage of materials. In environments where these controllers manage critical infrastructure or safety-instrumented systems, a DoS could create hazardous conditions or impact public services. The fact that the attack can be launched remotely without any authentication makes any network-accessible system a high-value and easily targeted asset.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor (CODESYS or the specific device manufacturer) to all affected systems immediately. Before and after patching, organizations should actively monitor for any signs of exploitation attempts by reviewing network traffic and system logs for unexpected communication or service interruptions.

Proactive Monitoring: Monitor network traffic for malformed or unusual requests targeting CODESYS communication ports (e.g., TCP/UDP 1217). System-level monitoring should be configured to alert on unexpected crashes or restarts of the CODESYS runtime service. Correlate any service crashes with inbound network events to identify potential attack sources.

Compensating Controls: If patching cannot be immediately deployed, implement network segmentation to isolate control systems from untrusted networks, including corporate IT and the internet. Use firewalls to create strict access control lists (ACLs) that only permit traffic to the CODESYS ports from authorized engineering workstations or management servers. An Intrusion Prevention System (IPS) with signatures capable of detecting this specific attack pattern can also serve as an effective compensating control.

Public Exploit Available: false

Given the high severity rating and the direct impact on operational technology, it is strongly recommended that organizations prioritize the immediate patching of all affected CODESYS systems. Although there is no evidence of active exploitation, the risk of operational downtime is significant. If patching is delayed for any reason, the implementation of compensating controls, particularly network segmentation and firewall restrictions, is critical to reduce the attack surface and mitigate the risk of a successful denial-of-service attack.