CVE-2025-41659 is a high-severity vulnerability affecting the CODESYS Control Runtime Environment (RTE) for SL devices. The root cause is an incorrect permission assignment (CWE-732) that allows a low-privileged remote attacker to access the PKI folder within the runtime system. This folder contains critical cryptographic assets such as certificates and private keys. By exploiting this vulnerability, an attacker can read and write these certificates and keys, enabling them to extract sensitive data or manipulate trust relationships by accepting malicious certificates as trusted. Although the services running on the device remain operational, the deletion or tampering of certificates forces communication to fall back to unencrypted channels, significantly weakening security. The vulnerability has a CVSS 3.1 base score of 8.3, reflecting high impact on confidentiality and integrity, with low attack complexity and no user interaction required. The vulnerability does not currently have known exploits in the wild, but its potential for misuse in industrial control systems is significant given the critical role of CODESYS in automation environments.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors, this vulnerability poses a serious risk. CODESYS Control RTE is widely used in programmable logic controllers (PLCs) and embedded control systems that manage industrial processes. Unauthorized access to PKI materials can lead to interception or manipulation of encrypted communications, undermining the integrity and confidentiality of operational data. Attackers could impersonate legitimate devices or controllers by injecting trusted certificates, facilitating man-in-the-middle attacks or unauthorized command execution. Although availability is not directly impacted, the fallback to unencrypted communication increases exposure to eavesdropping and data tampering. This could result in operational disruptions, intellectual property theft, or safety hazards. The vulnerability's remote exploitability and low privilege requirement increase the attack surface, making it a critical concern for European industrial operators who rely on secure automation systems to comply with regulatory standards such as NIS2 and GDPR.

Immediate mitigation should focus on restricting access permissions to the PKI folder within the CODESYS Control RTE environment, ensuring that only highly privileged system processes and administrators can read or write certificate files. Network segmentation should be enforced to isolate control systems from less trusted networks, limiting remote access vectors. Implement strict access control lists (ACLs) and monitor file integrity of PKI assets to detect unauthorized changes promptly. Deploy network intrusion detection systems (NIDS) with signatures or heuristics tailored to detect anomalous access patterns to the PKI folder or certificate manipulation attempts. Since no patch links are currently available, organizations should engage with CODESYS support for guidance on upcoming patches or workarounds. Additionally, enforce multi-factor authentication for administrative access and conduct regular audits of certificate trust stores to identify and revoke any unauthorized certificates. Finally, ensure that backup copies of certificates and keys are securely stored offline to enable rapid recovery if tampering occurs.