CODESYS Control V3 NULL Pointer Dereference Advisory

This document is a security advisory detailing a vulnerability in the CODESYS Control runtime system's CmpDevice component, identified as CVE-2025-41691. The advisory outlines that this vulnerability allows unauthenticated attackers to cause a denial-of-service (DoS) condition through specially crafted communication requests. The issue arises from a NULL pointer dereference and also affects systems when outdated CODESYS clients attempt to log in. The advisory specifies the affected products, which include various versions of CODESYS Control RTE, CODESYS Control for BeagleBone, and others, detailing the specific versions that are impacted. It also provides remediation steps, recommending updates to specific versions to mitigate the vulnerability. Additionally, the advisory suggests general security recommendations to enhance protection against such vulnerabilities, including using firewalls, encrypted communication, and limiting network exposure. The document concludes with acknowledgments and a disclaimer regarding liability.