Vulnerability-Lookup

FKIE_CVE-2025-0694

Vulnerability from fkie_nvd - Published: 2025-03-18 11:15 - Updated: 2026-06-17 08:26

Severity

6.6 (Medium) - CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access.

References

	URL	Tags
	info@cert.vde.com	https://cert.vde.com/en/advisories/VDE-2025-015

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for BeagleBone SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for emPC-A/iMX6 SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for IOT2000 SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for Linux ARM SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for Linux SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for PFC100 SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for PFC200 SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for PLCnext SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for Raspberry Pi SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for WAGO Touch Panels 600 SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control RTE (for Beckhoff CX) SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "3.5.21.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control RTE (SL)",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "3.5.21.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control Win (SL)",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "3.5.21.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Runtime Toolkit",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "3.5.21.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Virtual Control SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "source": "info@cert.vde.com"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access."
    },
    {
      "lang": "es",
      "value": "La validaci\u00f3n de ruta insuficiente en CODESYS Control permite que atacantes con pocos privilegios y acceso f\u00edsico obtengan acceso completo al sistema de archivos."
    }
  ],
  "id": "CVE-2025-0694",
  "lastModified": "2026-06-17T08:26:59.140",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.6,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 5.9,
        "source": "info@cert.vde.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2025-0694",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2025-03-18T13:09:24.499918Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2025-03-18T11:15:39.400",
  "references": [
    {
      "source": "info@cert.vde.com",
      "url": "https://cert.vde.com/en/advisories/VDE-2025-015"
    }
  ],
  "sourceIdentifier": "info@cert.vde.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "info@cert.vde.com",
      "type": "Secondary"
    }
  ]
}

CVE-2025-0694 (GCVE-0-2025-0694)

Vulnerability from cvelistv5 – Published: 2025-03-18 11:04 – Updated: 2025-03-18 13:09

Title

CODESYS Control V3 removable media path traversal

Summary

Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access.

Severity

6.6 (Medium)


                        
                          CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

CERTVDE

References

1 reference

URL	Tags
https://cert.vde.com/en/advisories/VDE-2025-015

Impacted products

15 products

Vendor	Product	Version
CODESYS	CODESYS Control for BeagleBone SL	Affected: 0 , < 4.16.0.0 (semver)
CODESYS	CODESYS Control for emPC-A/iMX6 SL	Affected: 0 , < 4.16.0.0 (semver)
CODESYS	CODESYS Control for IOT2000 SL	Affected: 0 , < 4.16.0.0 (semver)
CODESYS	CODESYS Control for Linux ARM SL	Affected: 0 , < 4.16.0.0 (semver)
CODESYS	CODESYS Control for Linux SL	Affected: 0 , < 4.16.0.0 (semver)
CODESYS	CODESYS Control for PFC100 SL	Affected: 0 , < 4.16.0.0 (semver)
CODESYS	CODESYS Control for PFC200 SL	Affected: 0 , < 4.16.0.0 (semver)
CODESYS	CODESYS Control for PLCnext SL	Affected: 0 , < 4.16.0.0 (semver)
CODESYS	CODESYS Control for Raspberry Pi SL	Affected: 0 , < 4.16.0.0 (semver)
CODESYS	CODESYS Control for WAGO Touch Panels 600 SL	Affected: 0 , < 4.16.0.0 (semver)
CODESYS	CODESYS Control RTE (for Beckhoff CX) SL	Affected: 0 , < 3.5.21.0 (semver)
CODESYS	CODESYS Control RTE (SL)	Affected: 0 , < 3.5.21.0 (semver)
CODESYS	CODESYS Control Win (SL)	Affected: 0 , < 3.5.21.0 (semver)
CODESYS	CODESYS Runtime Toolkit	Affected: 0 , < 3.5.21.0 (semver)
CODESYS	CODESYS Virtual Control SL	Affected: 0 , < 4.16.0.0 (semver)

Credits

D. Blagojevic, S.Dietz and T. Weber from CyberDanube

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0694",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-18T13:09:24.499918Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-18T13:09:54.473Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for BeagleBone SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for emPC-A/iMX6 SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for IOT2000 SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for Linux ARM SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for Linux SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for PFC100 SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for PFC200 SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for PLCnext SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for Raspberry Pi SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control for WAGO Touch Panels 600 SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control RTE (for Beckhoff CX) SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "3.5.21.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control RTE (SL)",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "3.5.21.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Control Win (SL)",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "3.5.21.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Runtime Toolkit",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "3.5.21.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Virtual Control SL",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "4.16.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "D. Blagojevic, S.Dietz and T. Weber from CyberDanube"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access."
            }
          ],
          "value": "Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-18T11:04:06.167Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://cert.vde.com/en/advisories/VDE-2025-015"
        }
      ],
      "source": {
        "advisory": "VDE-2025-015",
        "defect": [
          "CERT@VDE#641743"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "CODESYS Control V3 removable media path traversal",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2025-0694",
    "datePublished": "2025-03-18T11:04:06.167Z",
    "dateReserved": "2025-01-24T08:27:09.159Z",
    "dateUpdated": "2025-03-18T13:09:54.473Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2025-0694

CVE-2025-0694 (GCVE-0-2025-0694)

Tags

Sightings

Nomenclature