Input Validation Flaw in OpenPLC Runtime by Autonomous Logic
CVE-2025-34226

7.1HIGH

Key Information:

Vendor

Autonomy Logic

Status
Openplc Runtime
Vendor
CVE Published:
3 October 2025

What is CVE-2025-34226?

An input validation flaw in OpenPLC Runtime v3 allows attackers to craft malicious uploads through the /upload-program-action endpoint. The epoch_time field is not properly validated, leading to potential corruption of the program database. Once a malformed upload occurs, the runtime continues to function until the next restart, at which point it may fail to initialize due to corrupted database entries. This can cause persistent denial of service, necessitating a complete reinstallation to restore functionality. This critical issue has been addressed in a recent patch, emphasizing the importance of timely updates to ensure system integrity.

Affected Version(s)

OpenPLC Runtime 3.0

References

https://autonomylogic.com/
product
https://openplc.discussion.community/post/persistant-dos-...
issue-tracking
https://github.com/thiagoralves/OpenPLC_v3/pull/297/commi...
patch

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Eyodav (Mike G.A)
JSON
.
CVE-2025-34226 : Input Validation Flaw in OpenPLC Runtime by Autonomous Logic