CVE-2026-3509
CODESYS Control Audit Log Format String DoS
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
24 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
CODESYS · CODESYS Control for BeagleBone SLCODESYS · CODESYS Control for emPC-A/iMX6 SLCODESYS · CODESYS Control for IOT2000 SLCODESYS · CODESYS Control for Linux ARM SLCODESYS · CODESYS Control for Linux SLCODESYS · CODESYS Control for PFC100 SLCODESYS · CODESYS Control for PFC200 SLCODESYS · CODESYS Control for PLCnext SLCODESYS · CODESYS Control for Raspberry Pi SLCODESYS · CODESYS Control for WAGO Touch Panels 600 SLCODESYS · CODESYS Control RTE (for Beckhoff CX) SLCODESYS · CODESYS Control RTE (SL)CODESYS · CODESYS Control Win (SL)CODESYS · CODESYS Runtime ToolkitCODESYS · CODESYS Virtual Control SLWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →