CVE-2026-14480
OpenPLC · OpenPLC
An authenticated arbitrary file write vulnerability in the OpenPLC Runtime v3 web UI allows attackers to achieve native code execution by uploading malicious C++ source files.
Executive summary
A critical arbitrary file write vulnerability in OpenPLC Runtime v3 allows authenticated users to escalate privileges to full native code execution.
Vulnerability
This vulnerability is an authenticated arbitrary file write issue (CWE-73) in the legacy web UI program-upload workflow. An attacker can supply a malicious filename to write files to arbitrary locations; by overwriting C++ source files within the runtime core, the attacker can force code execution during the compilation process.
Business impact
The CVSS score of 9.9 reflects the extreme risk of total system compromise. Since OpenPLC is often deployed in industrial control environments, this flaw could be leveraged to gain persistence, disrupt critical processes, or manipulate physical hardware controls. The impact includes severe operational downtime and the potential for physical safety risks.
Remediation
Immediate Action: Upgrade to OpenPLC v4 immediately, as v3 is end-of-life and will not receive further security patches.
Proactive Monitoring: Audit the OpenPLC runtime directory for unexpected file modifications or the presence of unauthorized C++ source files.
Compensating Controls: Restrict access to the OpenPLC web management interface to authorized, segmented management networks only.
Exploitation status
Public Exploit Available: False
Analyst recommendation
OpenPLC v3 is deprecated and insecure. Users must transition to OpenPLC v4 as soon as possible, as no patches exist for the v3 branch. Continued use of v3 exposes the environment to significant risk of complete takeover.