CODESYS Control V3 Untrusted Boot Application Advisory

This document is a security advisory detailing a vulnerability in the CODESYS Control runtime system, identified as CVE-2025-41660. It outlines the potential impact of this vulnerability, which allows low-privileged remote attackers to replace the boot application of the CODESYS Control runtime system, leading to unauthorized code execution on the PLC. The advisory specifies affected products and versions, including CODESYS Control RTE and CODESYS HMI, and provides remediation steps, recommending updates to specific versions to mitigate the risk. Additionally, it discusses configuration settings that can enhance security, such as enforcing signed applications and restricting Service group permissions. General security recommendations are also provided to improve the overall security posture of the control systems. The advisory concludes with acknowledgments and a disclaimer regarding the information provided.