CODESYS Development System, Incorrect Default Permissions, CVE-2026-44468 (HIGH) -DC-May2026-33

Listen to this Post

Intro – How the vulnerability works

CVE-2026-44468 is a local privilege escalation flaw affecting the CODESYS Development System. During an administrative installation, the installer creates a temporary directory with insecure default permissions – these permissions give write access to standard, unprivileged users.
Within that writeable directory, a temporary file defines the exact components (plugins, libraries, or packages) that the installer intends to deploy. Because the directory is world‑writeable, any low‑privileged local attacker can locate this temporary bootstrap file and modify its contents before the installer reads it.
By altering the file, the attacker can replace the list of legitimate components with arbitrary malicious payloads. When the administrative installer later processes the tampered file, it will deploy those attacker‑supplied components. Since the installation runs with elevated privileges (SYSTEM or root), the malicious components inherit those high privileges, granting the attacker full control over the host.
The vulnerability is classified as CWE‑276: Incorrect Default Permissions. Exploitation requires no user interaction and only a local session with low (non‑administrative) rights. The attack vector is local, the complexity is low, and the impact on confidentiality, integrity, and availability is all high.

DailyCVE Form

Platform: CODESYS Development System
Version: 3.0.0.0 – 3.5.22.20
Vulnerability : Incorrect default permissions
Severity: HIGH (CVSS 8.5)
date: 2026‑05‑26

Prediction: Patch already released

What Undercode Say

List insecure temporary directories created by the installer
ls -la /tmp/CODESYS_Install_ 2>/dev/null
find /var/tmp -name "CODESYS" -perm -o+w 2>/dev/null
Show current permissions and the vulnerable bootstrap file
stat /path/to/insecure/temp/component_list.cfg
Simulate the attacker's actions:
echo 'malicious_component.so' >> /path/to/insecure/temp/component_list.cfg

Exploit

  1. Locate the world‑writeable temporary directory created by the administrative installer.
  2. Identify the bootstrap file (e.g. components.lst) that lists the components to be installed.
  3. Replace its contents with a path to a malicious shared library or executable.
  4. Wait for the installer to process the tampered list – the malicious component is deployed with full administrative rights.

Protection

  • Immediately upgrade to CODESYS Development System 3.5.22.20, which fixes the insecure directory permissions.
  • During administrative installations, enforce restrictive umask values (e.g. umask 027) before creating temporary directories.
  • Use system monitoring tools (e.g. auditd) to alert on writes to temporary directories that are world‑writeable.

Impact

Successful exploitation allows a low‑privileged local attacker to escalate to SYSTEM (Windows) or root (Linux) on the engineering workstation. This compromises the entire development environment, enabling the attacker to tamper with PLC logic, steal intellectual property, pivot to live controllers, and modify any files on the host.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top