{ "document": { "acknowledgments": [ { "organization": "CERT@VDE", "summary": "coordination" } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "notes": [ { "category": "summary", "text": "The Firmware installed on the CR3171 is impacted by various CODESYS vulnerabilities.", "title": "Summary" }, { "category": "legal_disclaimer", "text": "THIS DOCUMENT IS PROVIDED ON AN \\\\\\\"AS IS\\\\\\\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. IFM RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of ifm products.", "title": "Disclaimer" }, { "category": "general", "text": "When using automation components, make sure that no unauthorized access can take place. In addition, measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.", "title": "General Recommendation" }, { "category": "description", "text": "Update to the Firmware Version 3.3", "title": "Remediation" }, { "category": "description", "text": "CVE-2025-41659 : Unauthorized access to PKI files allows attackers to extract sensitive cryptographic keys and manipulate trusted certificates. This compromises system integrity, confidentiality and partially affects availability.\n\nCVE-2025-41658 : The affected products do not explicitly restrict read permissions for other local operating system users, potentially allowing unauthorized access to sensitive runtime files.\n\nCVE-2025-41691 : Exploitation of this vulnerability can lead to a denial-of-service (DoS) condition on affected PLCs, disrupting industrial control systems.", "title": "Impact" }, { "category": "description", "text": "CVE-2025-41659 : The vulnerability affects devices running firmware versions prior to 3.3. Due to the nature of the issue, no configuration changes, operational workarounds, or compensating controls are available that would sufficiently reduce the associated risk. Therefore, it is essential to update the affected device to firmware version 3.3.\nOperating the device on earlier firmware versions results in continued exposure to the vulnerability. Once firmware version 3.3 is installed, the vulnerability is considered fully resolved.\n\nCVE-2025-41658 : If the CODESYS Control runtime system is operated on an operating system with multi-user support, other users may potentially gain access to runtime-related files. Thus, it is essential to configure the storage locations for CODESYS Control runtime files in accordance with the operating system's security best practices. These locations should, by default, restrict access to unauthorized users. If the operating system does not support such access control mechanisms or if implementing them is not feasible, an alternative approach is to explicitly revoke read and write permissions for all non-administrative users on the directories used by the CODESYS Control runtime system.\n\nThe following directories must be secured:\n* The directory containing configuration files\n* The directory containing binary files\n* The working directory used by the runtime system\n\nNote: Protecting individual files is not sufficient. The entire directories must be secured to ensure that any files created in the future are also protected.\n\nAs possible countermeasures, it can be examined whether avoiding the use of the CODESYS environment in one's own application design is feasible.\n\nAlternatively, where applicable, all non-administrative user accounts can be removed from the system, and their re-creation should be prevented. Additionally, it is recommended to disable remote access methods that allow file access (e.g., SSH) wherever possible, in order to reduce the overall attack surface.\n\nBest practice recommendations for Linux and QNX Systems:\n* Create a dedicated privileged group for accessing the above-mentioned directories, and add the user account under which the runtime process is executed to this group.\n* Set the file system permissions for these directories to deny access to \"other\" users (e.g., chmod o-rx).\n* If access for additional users is required, they can be added to the privileged group as needed.\n\nCVE-2025-41691 : The vulnerability can be mitigated by restricting the allowed login authentication type \"CmpUserMgr/UserLogin_AuthenticationType\" to \"ONLY_ASYMMETRIC\". This can be configured either via the Device Security Settings dialog in the CODESYS Development System or directly in the configuration file of the CODESYS Control runtime system (CODESYSControl.cfg) by adding the following setting:\n\n[CmpUserMgr]\nSECURITY.UserLogin_AuthenticationType=ONLY_ASYMMETRIC\n\nWith this configuration in place, both potential attackers and legacy CODESYS protocol clients (prior to version 3.5.16.0) will be blocked from logging in, thereby preventing execution of the vulnerable code path.\n\nAs possible countermeasures, it can be examined whether avoiding the use of the CODESYS environment in one's own application design is feasible.", "title": "Mitigation" } ], "publisher": { "category": "vendor", "contact_details": "psirt@ifm.com", "name": "ifm electronic GmbH", "namespace": "https://www.ifm.com" }, "references": [ { "category": "external", "summary": "ifm advisory overview at CERT@VDE", "url": "https://certvde.com/de/advisories/vendor/ifm/" }, { "category": "self", "summary": "VDE-2026-005: ifm: Multiple Vulnerabilities in CR3171 - CSAF", "url": "https://ifm.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-005.json" }, { "category": "self", "summary": "VDE-2026-005: ifm: Multiple Vulnerabilities in CR3171 - HTML", "url": "https://certvde.com/en/advisories/VDE-2026-005" } ], "title": "ifm: Multiple Vulnerabilities in CR3171", "tracking": { "aliases": [ "VDE-2026-005" ], "current_release_date": "2026-05-06T08:00:00.000Z", "generator": { "date": "2026-05-06T07:53:36.480Z", "engine": { "name": "Secvisogram", "version": "2.5.44" } }, "id": "VDE-2026-005", "initial_release_date": "2026-05-06T08:00:00.000Z", "revision_history": [ { "date": "2026-05-06T08:00:00.000Z", "number": "1.0.0", "summary": "initial release" } ], "status": "final", "version": "1.0.0" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "3.1", "product": { "name": "Firmware 3.1", "product_id": "CSAFPID-21001", "product_identification_helper": { "cpe": "cpe:2.3:o:ifm_electronic:cr3171_firmware:3.1:*:*:*:*:*:*:*" } } }, { "category": "product_version", "name": "3.2", "product": { "name": "Firmware 3.2", "product_id": "CSAFPID-22001", "product_identification_helper": { "cpe": "cpe:2.3:o:ifm_electronic:cr3171_firmware:3.2:*:*:*:*:*:*:*" } } }, { "category": "product_version", "name": "3.3", "product": { "name": "ifm electronic gmbh Firmware 3.3", "product_id": "CSAFPID-22002", "product_identification_helper": { "cpe": "cpe:2.3:o:ifm_electronic:cr3171_firmware:3.3:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Firmware" }, { "branches": [ { "category": "product_name", "name": "CR3171", "product": { "name": "CR3171", "product_id": "CSAFPID-11001", "product_identification_helper": { "cpe": "cpe:2.3:h:ifm_electronic:cr3171:*:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Hardware" } ], "category": "vendor", "name": "ifm electronic gmbh" } ], "relationships": [ { "category": "installed_on", "full_product_name": { "name": "Firmware 3.1 installed on CR3171", "product_id": "CSAFPID-0003", "product_identification_helper": { "cpe": "cpe:2.3:o:ifm_electronic:cr3171_firmware:3.1:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-21001", "relates_to_product_reference": "CSAFPID-11001" }, { "category": "installed_on", "full_product_name": { "name": "Firmware 3.2 installed on CR3171", "product_id": "CSAFPID-0004", "product_identification_helper": { "cpe": "cpe:2.3:o:ifm_electronic:cr3171_firmware:3.2:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-22001", "relates_to_product_reference": "CSAFPID-11001" }, { "category": "installed_on", "full_product_name": { "name": "ifm electronic gmbh Firmware 3.3 installed on CR3171", "product_id": "CSAFPID-0002", "product_identification_helper": { "cpe": "cpe:2.3:o:ifm_electronic:cr3171_firmware:3.3:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-22002", "relates_to_product_reference": "CSAFPID-11001" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-41691", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "description", "text": "An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition.", "title": "CVE description" } ], "product_status": { "fixed": [ "CSAFPID-0002" ], "known_affected": [ "CSAFPID-0003", "CSAFPID-0004" ] }, "remediations": [ { "category": "vendor_fix", "details": "will be fixed in Firmware Version 3.3", "product_ids": [ "CSAFPID-0003", "CSAFPID-0004" ], "url": "https://www.ifm.com/de/en/product/CR3171#documents" }, { "category": "mitigation", "details": "deactivate CodeSys enviroment on device", "product_ids": [ "CSAFPID-0003", "CSAFPID-0004" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CSAFPID-0003", "CSAFPID-0004" ] } ], "title": "CODESYS Control DoS via Unauthenticated NULL Pointer Dereference" }, { "cve": "CVE-2025-41659", "cwe": { "id": "CWE-732", "name": "Incorrect Permission Assignment for Critical Resource" }, "notes": [ { "category": "description", "text": "A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.", "title": "CVE description" } ], "product_status": { "fixed": [ "CSAFPID-0002" ], "known_affected": [ "CSAFPID-0003", "CSAFPID-0004" ] }, "remediations": [ { "category": "vendor_fix", "details": "will be fixed in Firmware Version 3.3", "product_ids": [ "CSAFPID-0003", "CSAFPID-0004" ], "url": "https://www.ifm.com/de/en/product/CR3171#documents" }, { "category": "mitigation", "details": "deactivate CodeSys enviroment on device", "product_ids": [ "CSAFPID-0003", "CSAFPID-0004" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1" }, "products": [ "CSAFPID-0003", "CSAFPID-0004" ] } ], "title": "CODESYS Control PKI Exposure Enables Remote Certificate Access" }, { "cve": "CVE-2025-41658", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "notes": [ { "category": "description", "text": "CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions.", "title": "CVE description" } ], "product_status": { "fixed": [ "CSAFPID-0002" ], "known_affected": [ "CSAFPID-0003", "CSAFPID-0004" ] }, "remediations": [ { "category": "vendor_fix", "details": "will be fixed in Firmware Version 3.3", "product_ids": [ "CSAFPID-0003", "CSAFPID-0004" ], "url": "https://www.ifm.com/de/en/product/CR3171#documents" }, { "category": "mitigation", "details": "deactivate CodeSys enviroment on device", "product_ids": [ "CSAFPID-0003", "CSAFPID-0004" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "CSAFPID-0003", "CSAFPID-0004" ] } ], "title": "CODESYS Toolkit Exposes Sensitive Files via Default Permissions" } ] }