CVE-2025-41658 is a medium-severity vulnerability identified in the CODESYS Runtime Toolkit, a widely used software platform for industrial automation and control systems. The vulnerability stems from incorrect default file permissions (CWE-276), which cause sensitive files within the Runtime Toolkit to be accessible to local users with low privileges on the operating system. Specifically, the default permissions settings allow local non-administrative users to read sensitive files that should otherwise be restricted. This exposure does not require user interaction and can be exploited with low attack complexity, but it requires local access and low-level privileges on the affected system. The vulnerability impacts confidentiality, as unauthorized users can access sensitive data, but it does not affect integrity or availability. The CVSS 3.1 base score is 5.5, reflecting a medium severity level, with the vector indicating local attack vector (AV:L), low complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). No known exploits are currently reported in the wild, and no patches have been linked yet. The affected versions are broadly indicated as 0.0.0.0, which likely means all current versions of the Runtime Toolkit at the time of disclosure are affected. This vulnerability is significant in industrial environments where CODESYS Runtime Toolkit is deployed, as it may allow local attackers or compromised accounts to access sensitive configuration or operational files, potentially facilitating further attacks or information leakage.

For European organizations, especially those operating in critical infrastructure sectors such as manufacturing, energy, and utilities, this vulnerability poses a risk to the confidentiality of sensitive operational data. Unauthorized local access to configuration files or runtime data could enable attackers to gather intelligence on industrial processes, potentially leading to targeted attacks or sabotage. While the vulnerability does not directly affect system integrity or availability, the exposure of sensitive information could be leveraged in multi-stage attacks or to bypass other security controls. Given the prevalence of CODESYS in European industrial automation, organizations may face increased risk if local user accounts are compromised or if insider threats exist. The vulnerability's requirement for local access limits remote exploitation but does not eliminate risk in environments where physical or network access to devices is possible. Additionally, the lack of a patch at the time of disclosure means organizations must rely on compensating controls to mitigate risk.

European organizations should immediately audit file permissions on systems running the CODESYS Runtime Toolkit to identify and restrict access to sensitive files. Implement strict access control policies ensuring that only authorized administrative users have read or write permissions to critical files. Employ host-based intrusion detection systems (HIDS) to monitor unauthorized access attempts to sensitive files. Limit the number of users with local access to industrial control systems and enforce the principle of least privilege. Use network segmentation to isolate industrial control systems from general IT networks, reducing the risk of lateral movement by attackers. Where possible, apply operating system-level hardening to enforce mandatory access controls (e.g., SELinux, AppArmor) to restrict file access beyond default permissions. Monitor logs for unusual local access patterns. Stay alert for vendor updates or patches addressing this vulnerability and plan for timely deployment once available. Additionally, conduct regular security awareness training for personnel with local access to industrial systems to reduce insider threat risks.