Login Sign Up

CVE-2025-1066

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

OpenPLC_V3 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files to the server. This could enable remote code execution, malware deployment, or phishing campaigns. Any organization using vulnerable versions of OpenPLC_V3 is affected.

💻 Affected Systems

Products:
  • OpenPLC_V3
Versions: All versions prior to commit d1b1a3b7e97f2b3fef0876056cf9d7879991744a
Operating Systems: All platforms running OpenPLC_V3
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installations with file upload functionality enabled

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to ransomware deployment, data exfiltration, or disruption of industrial control processes

🟠

Likely Case

Malware installation for persistence, credential theft, or use as phishing/malvertising platform

🟢

If Mitigated

Limited impact if proper file upload validation and access controls are implemented

🌐 Internet-Facing: HIGH - Directly exploitable from internet if service is exposed
🏢 Internal Only: MEDIUM - Still exploitable by internal threats or compromised devices

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details published in Medium article; simple file upload bypass techniques

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit d1b1a3b7e97f2b3fef0876056cf9d7879991744a or later

Vendor Advisory: https://github.com/thiagoralves/OpenPLC_v3/commit/d1b1a3b7e97f2b3fef0876056cf9d7879991744a

Restart Required: Yes

Instructions:

1. Pull latest OpenPLC_V3 from GitHub. 2. Apply commit d1b1a3b7e97f2b3fef0876056cf9d7879991744a. 3. Restart OpenPLC service.

🔧 Temporary Workarounds

Disable file upload functionality

all

Temporarily disable file upload endpoints if not required

Modify OpenPLC configuration to remove/disable upload handlers

Implement file type validation

all

Add server-side validation to restrict allowed file types

Add file extension and MIME type validation to upload handlers

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate OpenPLC systems
  • Deploy web application firewall with file upload protection rules

🔍 How to Verify

Check if Vulnerable:

Check if OpenPLC version predates commit d1b1a3b7e97f2b3fef0876056cf9d7879991744a

Check Version:

git log --oneline | head -5

Verify Fix Applied:

Verify commit d1b1a3b7e97f2b3fef0876056cf9d7879991744a is applied and test file upload with malicious extensions

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads with executable extensions
  • Multiple failed upload attempts
  • Uploads from unexpected IP addresses

Network Indicators:

  • HTTP POST requests to upload endpoints with suspicious file names
  • Outbound connections from OpenPLC server to unknown destinations

SIEM Query:

source="openplc.log" AND ("upload" OR "POST") AND ("exe" OR "php" OR "jsp" OR "sh")

📊 Metadata

CVE ID: CVE-2025-1066
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 0.38% exploit probability (59.1th percentile)
Published: February 6, 2025
Last Updated: March 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON