NULL Pointer Dereference in CODESYS Control Runtime Systems
CVE-2025-41691

7.5HIGH

Key Information:

Vendor: Codesys
Status: Control Rte (sl); Control Rte (for Beckhoff Cx) Sl; Control Win (sl); Hmi (sl)
Vendor: CVE Published:; 4 August 2025

What is CVE-2025-41691?

In CODESYS Control runtime systems, an unauthenticated remote attacker has the potential to exploit a NULL pointer dereference vulnerability. By sending carefully crafted communication requests, the attacker may cause a denial-of-service (DoS) condition, disrupting the normal functioning of the system. This vulnerability poses a significant risk to operational integrity and availability, emphasizing the need for prompt mitigation measures.

Affected Version(s)

Control for BeagleBone SL 4.16.0.0 < 4.17.0.0

Control for emPC-A/iMX6 SL 4.16.0.0 < 4.17.0.0

Control for IOT2000 SL 4.16.0.0 < 4.17.0.0

References

https://certvde.com/de/advisories/VDE-2025-070

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 4, 2025
Vulnerability Reserved
Apr 16, 2025

Codesys

What is CVE-2025-41691?

Affected Version(s)

References

CVSS V3.1

Timeline