CVE-2026-2364
📋 TL;DR
A local attacker with low privileges can exploit a TOCTOU (Time-of-Check Time-of-Use) vulnerability in the CODESYS installer to gain elevated system rights. This occurs when legitimate users confirm self-update prompts or initiate installations. Systems running CODESYS Development System are affected.
💻 Affected Systems
- CODESYS Development System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM/root privileges, enabling complete system compromise, data theft, and persistence.
Likely Case
Local attacker escalates to administrator privileges, allowing installation of malware, credential theft, and lateral movement.
If Mitigated
Attack fails due to proper access controls, monitoring, or patched systems.
🎯 Exploit Status
Exploitation requires local access and timing the attack during user-initiated installer actions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check CODESYS vendor advisory for specific patched versions.
Vendor Advisory: https://certvde.com/de/advisories/VDE-2026-012
Restart Required: Yes
Instructions:
1. Check CODESYS vendor advisory for patched version. 2. Update CODESYS Development System to patched version. 3. Restart system if required.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local user access to systems running CODESYS to trusted personnel only.
Monitor Installer Processes
allMonitor for suspicious process creation during CODESYS installer execution.
🧯 If You Can't Patch
- Implement strict least privilege: Ensure no low-privileged users have local access to affected systems.
- Enable detailed auditing of process creation and privilege escalation events on affected systems.
🔍 How to Verify
Check if Vulnerable:
Check CODESYS version against vendor advisory; if unpatched and local access exists, system is vulnerable.Check Version:
Check within CODESYS Development System interface or consult vendor documentation.Verify Fix Applied:
Confirm CODESYS version is updated to patched version specified in vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- Suspicious process creation during CODESYS installer execution
Network Indicators:
- None - this is a local attack
SIEM Query:
Search for Event ID 4688 (Windows) or similar process creation logs with CODESYS installer and unexpected parent/child processes.