FKIE_CVE-2025-41659

Vulnerability from fkie_nvd - Published: 2025-08-04 08:15 - Updated: 2025-08-04 15:06
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Summary
A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.
References
info@cert.vde.comhttps://certvde.com/de/advisories/VDE-2025-051
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted."
    },
    {
      "lang": "es",
      "value": "Un atacante con pocos privilegios puede acceder remotamente a la carpeta PKI del sistema de ejecuci\u00f3n de CODESYS Control y, por lo tanto, leer y escribir certificados y sus claves. Esto permite extraer datos confidenciales o aceptar certificados como de confianza. Aunque todos los servicios permanecen disponibles, solo es posible la comunicaci\u00f3n sin cifrar si se eliminan los certificados."
    }
  ],
  "id": "CVE-2025-41659",
  "lastModified": "2025-08-04T15:06:15.833",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.5,
        "source": "info@cert.vde.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-08-04T08:15:48.173",
  "references": [
    {
      "source": "info@cert.vde.com",
      "url": "https://certvde.com/de/advisories/VDE-2025-051"
    }
  ],
  "sourceIdentifier": "info@cert.vde.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "info@cert.vde.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.