CVE-2025-41691 is a high-severity vulnerability identified in the CODESYS Control Runtime Environment (RTE) for SoftLogic (SL), specifically affecting version 3.5.21.10. The vulnerability is classified as CWE-476, which corresponds to a NULL pointer dereference. This type of flaw occurs when the software attempts to access or dereference a pointer that has not been properly initialized or has been set to NULL, leading to undefined behavior. In this case, an unauthenticated remote attacker can send specially crafted communication requests to the affected CODESYS Control RTE, triggering the NULL pointer dereference. The consequence of this is a denial-of-service (DoS) condition, where the runtime system crashes or becomes unresponsive, disrupting normal operations. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N. The impact is limited to availability, with no direct confidentiality or integrity compromise reported. No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability was reserved in April 2025 and published in August 2025, indicating recent discovery and disclosure. CODESYS Control RTE is widely used in industrial automation systems, programmable logic controllers (PLCs), and embedded control devices, making this vulnerability particularly relevant to operational technology (OT) environments.

For European organizations, especially those operating in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability poses a significant risk. Exploitation can lead to denial-of-service conditions on control systems, potentially halting production lines, disrupting energy distribution, or impairing critical infrastructure operations. Such disruptions can cause financial losses, safety hazards, and regulatory compliance issues under frameworks like NIS2 and GDPR if service availability impacts data processing or safety. The fact that exploitation requires no authentication and can be performed remotely increases the threat level, as attackers do not need insider access. Although no data confidentiality or integrity is directly compromised, the availability impact alone can have cascading effects in interconnected industrial environments. European organizations relying on CODESYS Control RTE should consider this vulnerability a critical operational risk, particularly in sectors where uptime and system reliability are paramount.

1. Immediate identification and inventory of all CODESYS Control RTE (SL) version 3.5.21.10 deployments within the organization. 2. Apply vendor patches or updates as soon as they become available; monitor CODESYS advisories for official fixes. 3. Implement network segmentation to isolate industrial control systems from general IT networks and restrict access to CODESYS Control RTE devices to trusted management networks only. 4. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or anomaly detection capabilities tailored to detect malformed or suspicious communication requests targeting CODESYS protocols. 5. Employ strict firewall rules to limit inbound traffic to only necessary sources and ports used by CODESYS Control RTE. 6. Conduct regular security assessments and penetration tests focusing on industrial control systems to identify potential exploitation attempts. 7. Establish robust incident response plans specific to OT environments to quickly respond to DoS events affecting control systems. 8. Train operational staff to recognize signs of system instability or crashes that may indicate exploitation attempts. 9. Consider temporary compensating controls such as disabling unnecessary communication interfaces or protocols on affected devices until patches are applied.