Backdoors on the Factory Floor: CODESYS Flaws Expose Industrial Devices to Root Takeover
Subtitle: New research uncovers how chained vulnerabilities in CODESYS runtime could let attackers seize control of critical infrastructure.
Imagine an attacker with the keys to a factory’s digital kingdom-able to halt production lines, tamper with energy grids, or sabotage water treatment plants, all from behind a keyboard. This isn’t the plot of a techno-thriller, but a real threat unveiled by Nozomi Networks Labs. Their latest investigation reveals how weaknesses in the CODESYS Control runtime-a backbone for industrial automation worldwide-can be daisy-chained by hackers to seize root-level control of programmable logic controllers (PLCs) embedded in sectors that run our daily lives.
The investigation targeted the CODESYS Control for Raspberry Pi SL, a variant running on affordable ARM hardware but representative of a broader family of CODESYS runtimes. Nozomi’s researchers discovered that an attacker with Service-level credentials-often less protected than admin accounts-could leverage a sequence of vulnerabilities (including CVE-2025-41658, -41659, and -41660) to extract cryptographic keys, bypass optional protections like code signing, and overwrite legitimate PLC logic with a malicious version. Once the system restarts, their code runs with root privileges-the highest possible on the device.
The technical path is disturbingly straightforward. Using backup and restore features intended for maintenance, a hacker can download the PLC’s boot application, extract sensitive cryptographic material, modify the application to inject malicious machine code, and re-upload it-complete with a freshly computed checksum to evade detection. Optional safeguards such as encryption and signing can be neutralized using the stolen keys. The only limitation? The attacker must wait for a system reboot or operator action before their tampered code comes to life.
Why is this so dangerous? PLCs control the real-world machinery that keeps factories running, power flowing, and water clean. A compromised PLC can alter setpoints, override safety mechanisms, or falsify sensor data, potentially causing physical damage, production stoppages, or even unsafe conditions for workers and the public. The vulnerabilities align with MITRE ATT&CK for ICS techniques such as module firmware tampering, manipulation of control logic, and theft of sensitive operational data-giving adversaries a toolkit for persistent and stealthy attacks.
The root of the problem lies in CODESYS’s privilege model: Service users, designed to support backup and recovery, have broad write access that, if abused, becomes a backdoor. The backup files themselves are simple archives, making them trivial to manipulate. While CODESYS has now released patches and strengthened code-signing requirements, the episode underscores a wider lesson for industrial cybersecurity: maintenance features, if not tightly controlled, can become an attacker’s best friend.
As factories, utilities, and critical infrastructure hurtle toward greater connectivity, the line between convenience and catastrophe grows ever thinner. The CODESYS case is a wake-up call: security must evolve as fast as the systems it protects, or the consequences could spill from the digital world into the physical-where the cost is far more than just data.
WIKICROOK
- Root Privileges: Root privileges are the highest access rights on a system, allowing complete control over all functions, settings, and data. Reserved for trusted users.
- Programmable Logic Controller (PLC): A Programmable Logic Controller (PLC) is a specialized computer that automates and controls industrial processes in factories, utilities, and infrastructure.
- Cryptographic Material: Cryptographic material includes sensitive data like encryption keys and certificates, essential for securing communications and verifying authenticity in cybersecurity.
- Code Signing: Code signing is the process of digitally signing software to prove it’s from a trusted source and hasn’t been tampered with.
- MITRE ATT&CK for ICS: MITRE ATT&CK for ICS is a framework detailing attacker tactics and techniques used to compromise industrial control systems in critical infrastructure.




