Industrial Intrusion: Chained Vulnerabilities Expose CODESYS-Controlled Factories to Stealthy Takeovers

Imagine a factory floor where machines operate with precision, valves open and close on cue, and robotic arms never miss a beat - or so it seems. Beneath this orchestrated calm, a silent threat lurked until recently: a trio of vulnerabilities in the widely-used CODESYS Control runtime, now uncovered and patched, that could have let attackers seize control of critical industrial systems with chilling ease.

The Anatomy of a Stealthy Industrial Attack

Nozomi Networks Labs’ recent discovery sent ripples through the industrial cybersecurity community. Their researchers found that by cleverly chaining three newly identified flaws - CVE-2025-41658, CVE-2025-41659, and CVE-2025-41660 - an attacker with even minimal privileges could replace trusted automation code with a malicious version, effectively planting a backdoor with administrative control over both the industrial device and its underlying operating system.

CODESYS, a backbone of automation in sectors from energy to manufacturing, allows ordinary computers to act as the brains of industrial processes. The newly exposed vulnerabilities targeted the very heart of these operations, enabling a multi-step attack:

1. Credential Capture: The attacker gains Service-level credentials - through weak passwords, compromised workstations, or by exploiting CVE-2025-41658 to extract password hashes.
2. Application Download: With access, they download the PLC’s application backup, stored as a ZIP file with a weak CRC32 integrity check.
3. Cryptographic Bypass: Using CVE-2025-41659, attackers extract cryptographic keys, sidestepping protections like code signing or encryption.
4. Malicious Injection: The binary is modified - say, with a root-level backdoor - then repacked to appear legitimate.
5. Stealthy Restoration: Leveraging CVE-2025-41660, the doctored application is uploaded back to the device.
6. Execution: The backdoor springs to life once the device is rebooted, leaving attackers with unfettered control.

The implications are severe: attackers could manipulate industrial processes, falsify sensor data, bypass safety controls, or even sabotage equipment - risks that move from the digital realm into the physical world.

Fortunately, after responsible disclosure, CODESYS quickly patched the vulnerabilities and mandated code signing for all PLC applications. Security specialists now urge organizations to patch without delay, harden credentials, segment their operational networks, and monitor for unusual activity to prevent exploitation.

Conclusion: The High Stakes of Industrial Security

This incident is a stark reminder that operational technology is a prime target for increasingly sophisticated cyberattacks. As the digital and physical worlds converge, the resilience of our factories, power plants, and infrastructure hinges not just on software updates - but on a culture of vigilance and proactive defense.

WIKICROOK

• Soft PLC: A soft PLC is a software controller that mimics hardware PLCs, running on standard computers to automate industrial processes and enhance flexibility.
• CRC32: CRC32 is a fast checksum method for detecting accidental file errors, but it is not secure against intentional tampering or attacks.
• Root Shell: A root shell gives users full administrative control on Unix or Linux systems, allowing unrestricted command execution and system modifications. Use with caution.
• Code Signing: Code signing is the process of digitally signing software to prove it’s from a trusted source and hasn’t been tampered with.
• Operational Technology (OT): Operational Technology (OT) includes computer systems that control industrial equipment and processes, often making them more vulnerable than traditional IT systems.