HackWatch
! High riskVU Vulnerability

Attackers Exploit Chained Vulnerabilities to Backdoor CODESYS Applications, Gaining Full Control

Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Exploitability matters here. Check exposed versions, prioritize mitigations and patch first where remote access or privilege escalation is possible.
Attackers Exploit Chained Vulnerabilities to Backdoor CODESYS Applications, Gaining Full Control - HackWatch vulnerability alert image
HackWatch vulnerability alert image for: Attackers Exploit Chained Vulnerabilities to Backdoor CODESYS Applications, Gaining Full Control
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: Apr 27, 2026

Updated: May 01, 2026

Incident status: Resolved or patched

Corroborating sources: 2

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 as a network administrator, looking first at device role, exposed management planes, VPN or routing impact and the order in which changes can be made without breaking production traffic. His note is deliberately operational: on Juniper-style edge or firewall environments, isolate admin access and preserve logs before patching, and do not claim broader exposure than the 2 corroborating sources can prove.

Review our editorial policy or send corrections to [email protected].

Resolved or patched. Source coverage indicates that a fix or formal remediation has been published. Verify that updates are applied in your environment.

Multiple vulnerabilities in the widely used CODESYS Control runtime enable attackers to chain exploits, replacing legitimate industrial control applications with backdoored versions. This attack grants full administrative privileges, posing a high risk to critical infrastructure relying on Soft PLC platforms.

What happened

Researchers at Nozomi Networks Labs have uncovered a series of interlinked vulnerabilities in the CODESYS Control runtime environment, one of the most widely adopted software-based programmable logic controller (Soft PLC) platforms globally. By chaining these security flaws, an authenticated attacker can replace a legitimate industrial control application with a malicious backdoored version. This manipulation escalates the attacker’s privileges, granting them full administrative control over the affected system.

This discovery, reported by multiple cybersecurity sources and consolidated here, highlights a critical threat to industrial control systems (ICS) that rely on CODESYS for automation and control tasks. The attack vector leverages weaknesses in authentication and application integrity checks, allowing adversaries to bypass protections and implant persistent malware within operational environments.

Confirmed facts

  • The vulnerabilities reside within the CODESYS Control runtime, affecting multiple versions widely deployed in industrial settings.
  • Attackers require authenticated access to initiate the exploit chain, but once inside, they can escalate privileges to full administrative rights.
  • The exploit enables the replacement of legitimate control applications with backdoored versions, effectively implanting malware directly into the control logic.
  • Nozomi Networks Labs provided detailed technical analysis confirming the feasibility of this chained attack.
  • The vulnerabilities allow attackers to maintain persistence and potentially manipulate industrial processes undetected.
  • Patches and mitigations have been released by CODESYS, but many systems remain unpatched and vulnerable.

Who is affected

  • Industrial organizations using CODESYS Control runtime for automation, including manufacturing plants, utilities, and critical infrastructure operators.
  • Systems running outdated or unpatched versions of CODESYS Control runtime.
  • Entities with insufficient network segmentation or weak authentication controls allowing attackers to gain initial access.

Given CODESYS’s extensive adoption in industries worldwide, the attack surface is significant. Organizations operating Soft PLCs with CODESYS must consider themselves at risk until mitigations are fully applied.

What to do now

  • Immediately audit all systems running CODESYS Control runtime to identify vulnerable versions.
  • Apply all available security patches and updates released by CODESYS without delay.
  • Review authentication mechanisms and enforce strong, multi-factor authentication where possible to prevent unauthorized access.
  • Conduct thorough integrity checks of deployed industrial control applications to detect unauthorized modifications or backdoors.
  • Monitor network traffic and system logs for unusual activity indicative of privilege escalation or application replacement.
  • Isolate critical control systems from broader corporate networks to limit lateral movement opportunities for attackers.

How to secure yourself

  • Implement strict access controls limiting who can authenticate to CODESYS environments.
  • Employ network segmentation and firewalls to restrict communication paths to and from Soft PLC systems.
  • Use intrusion detection and prevention systems tailored for industrial protocols to detect anomalous behavior.
  • Regularly backup control application configurations and binaries, enabling rapid restoration if compromise is detected.
  • Train operational technology (OT) personnel on recognizing signs of compromise and the importance of patch management.
  • Collaborate with cybersecurity vendors specializing in ICS security for continuous monitoring and threat intelligence.

FAQ

What is CODESYS and why is it important?

CODESYS is a software platform used worldwide to program and control industrial automation systems via Soft PLCs. It is critical because it manages processes in manufacturing, utilities, and infrastructure.

How do attackers exploit the CODESYS vulnerabilities?

Attackers chain multiple vulnerabilities to bypass authentication and replace legitimate control applications with malicious backdoored versions, gaining full administrative control.

Do attackers need physical access to exploit these vulnerabilities?

No, attackers require authenticated access, which can be obtained remotely if network defenses are weak or credentials are compromised.

Are all versions of CODESYS Control runtime vulnerable?

Multiple versions are affected, but CODESYS has released patches. Users must verify their specific versions and apply updates promptly.

What can happen if my CODESYS system is compromised?

Attackers can manipulate industrial processes, cause downtime, steal sensitive data, or implant persistent malware, potentially leading to safety hazards and operational disruption.

How can I check if my system is backdoored?

Perform integrity checks on control applications, monitor for unusual system behavior, and use specialized ICS security tools to detect unauthorized modifications.

What immediate steps should I take if I suspect compromise?

Isolate the affected system, conduct a forensic investigation, restore from clean backups, and apply all security patches.

How does this vulnerability impact industrial cybersecurity?

It demonstrates how chained vulnerabilities can enable deep system compromise, highlighting the critical need for layered defenses and rigorous patch management in ICS.

Will future updates from CODESYS prevent such attacks?

While updates improve security, ongoing vigilance, network segmentation, and strong authentication remain essential to defend against evolving threats.

Why this matters

Industrial control systems underpin critical infrastructure and manufacturing processes worldwide. The ability of attackers to backdoor CODESYS applications through chained vulnerabilities represents a severe risk of operational disruption, safety incidents, and economic damage. Unlike typical IT breaches, ICS compromises can have physical consequences, making timely detection and remediation imperative.

This incident underscores the increasing sophistication of threats targeting operational technology and the necessity for integrated cybersecurity strategies tailored to industrial environments.

Sources and corroboration

This article is based on detailed technical analysis and reporting by Nozomi Networks Labs and corroborated by multiple cybersecurity news outlets, including Cyber Security News. The findings have been validated through independent research and vendor disclosures from CODESYS.

  • https://cybersecuritynews.com/attackers-backdoor-codesys-applications/
  • Nozomi Networks Labs technical reports
  • CODESYS official security advisories

Sources used for this article

gbhackers.com, cybersecuritynews.com

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this malware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Attackers Exploit Chained Vulnerabilities to Backdoor CODESYS Applications, Gaining Full Control".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage