CODESYS Development System, Local Privilege Escalation via TOCTOU Race Condition, CVE-2026-44469 (High) -DC-May2026-31

Listen to this Post

The vulnerability stems from how the CODESYS Development System (versions ≤ 3.5.21.40) handles administrative installations. During such an installation, the product extracts files into a temporary directory but sets incorrect default permissions (CWE-276). This allows any low-privileged local user to read from and write to that temporary folder – a direct violation of the principle of least privilege.
The real danger lies in the Time‑of‑Check to Time‑of‑Use (TOCTOU) race condition. When an administrative installation runs, the product first verifies the integrity (e.g., digital signature) of each file in the temporary directory. After verification, the installer waits a short time before actually copying those files into protected system locations. Because the temporary directory has weak permissions, an attacker can monitor this process and, during the narrow window between “check” and “use,” replace a verified legitimate file with a malicious one.
The attack requires local access and low privileges, but the race window is described as “practical” – meaning it is wide enough to be reliably exploited by a script or a simple monitoring tool. Once the swap occurs, the installer, still running with high privileges, will copy the attacker’s file into a privileged location (e.g., `Program Files` or System32). The result is local privilege escalation (LPE): an attacker can elevate from a standard user account to `SYSTEM` or `Administrator` by injecting arbitrary code or binaries.
The vulnerability was discovered by David Ruscheweyh of SEW‑EURODRIVE GmbH & Co KG and coordinated by CERT VDE (VDE‑2026‑055). The CVE was published on May 26, 2026.

DailyCVE Form:

Platform: CODESYS Development System
Version: ≤ 3.5.21.40
Vulnerability: TOCTOU race condition
Severity: HIGH (CVSS 7.8/8.5)
date: 2026-05-26

Prediction: Patch expected 2026-06-10

What Undercode Say:

1. Check current version
"C:\Program Files\CODESYS\CODESYS\bin\CODESYS.exe" --version
2. Verify temp directory permissions
icacls "%TEMP%\CODESYS_Install_"
3. Monitor temp folder creation (PowerShell)
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "$env:TEMP"
$watcher.Filter = "CODESYS_Install_"
Register-ObjectEvent $watcher "Created" -Action { Write-Host "Temp dir created: $($Event.SourceEventArgs.FullPath)" }
4. Simulate race: after verification, replace file
while ($true) {
if (Test-Path "C:\Windows\Temp\CODESYS_Install\verified.dll") {
Start-Sleep -Milliseconds 200
Copy-Item "malicious.dll" "C:\Windows\Temp\CODESYS_Install\verified.dll" -Force
break
}
}

How Exploit:

  1. Attacker waits for an administrator to launch a CODESYS administrative installation.
  2. The installer creates a writable temp directory (e.g., %TEMP%\CODESYS_Install_XXXX).
  3. Attacker monitors for the creation of this directory.
  4. Installer verifies files inside the temp folder – attacker does nothing yet.

5. After verification, installer pauses for ~200‑500 ms.

  1. Attacker instantly overwrites a specific verified file with a malicious PE/DLL.
  2. Installer resumes and copies the attacker’s file (now trusted) into a privileged location (e.g., System32), achieving LPE.

Protection from this CVE:

  • Upgrade to CODESYS Development System version 3.5.22.20 or later (released 2026‑05‑20).
  • Apply principle of least privilege – do not run installations as Administrator unless absolutely required.
  • Use endpoint detection rules to monitor `%TEMP%` for suspicious file overwrites during CODESYS installers.
  • Enforce application whitelisting (WDAC, AppLocker) to block unsigned binaries dropped into sensitive directories.

Impact:

  • Confidentiality, Integrity, Availability – all rated HIGH because the attacker gains full control over the host (CVSS v3.1: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
  • Widespread risk – CODESYS Development System is used globally in industrial automation, OT environments, and PLC programming workstations.
  • Chainable – can be combined with other vulnerabilities (e.g., CVE‑2026‑44468) to further compromise an engineering workstation and then pivot to industrial control systems.
  • No known public exploit at time of writing, but the low complexity and “practical” race window make weaponization highly probable within weeks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top