Volerion logoVolerion
Volerion logoVolerion

CODESYS Development System Deserialization Vulnerability Leading to Arbitrary Code Execution

Vulnerability

A deserialization vulnerability has been identified in the CODESYS Development System, specifically in versions prior to 3.5.21.40. This vulnerability allows an unauthenticated attacker to execute arbitrary code by tricking a local user into opening a manipulated CODESYS project file. The code execution occurs in the context of the user who opened the file.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the user context, potentially compromising system integrity, confidentiality, and availability.

Remediation

Users can update to CODESYS Development System version 3.5.21.40 or later. The CODESYS Development System is available for download via the CODESYS Installer, the CODESYS Store, or the CODESYS Update area.

Added: Dec 1, 2025, 10:19 AM
Updated: Dec 1, 2025, 4:00 PM

Vulnerability Rating

Custom Algorithm
spread
5.4
impact
10.0
exploitability
4.4
remediation
7.9
relevance
1.2
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.