CVE-2026-2364 is a Time-of-check to Time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, found in the CODESYS Installer component of the CODESYS Development System. The vulnerability arises during the installation or self-update process, where the installer performs security checks (time-of-check) and then uses resources or files (time-of-use) without proper synchronization or validation. This race condition can be exploited by a low-privileged local attacker who waits for a legitimate user to initiate or confirm an installation or update prompt. By exploiting the timing window between the check and use phases, the attacker can manipulate the installer’s behavior to escalate privileges, potentially gaining elevated rights on the system. The vulnerability requires local access and user interaction, as the legitimate user must confirm the update or installation prompt. The CVSS v3.1 base score is 7.3, indicating high severity due to the combination of local attack vector, low complexity, required privileges, user interaction, and the impact on confidentiality, integrity, and availability. No patches or exploits are currently publicly available, but the vulnerability is published and recognized by CERTVDE. Given that CODESYS is widely used in industrial automation and control systems, this vulnerability could have serious implications if exploited in operational environments.

The exploitation of CVE-2026-2364 can lead to a local privilege escalation, allowing attackers with limited access to gain elevated rights on systems running the CODESYS Installer. This can compromise the confidentiality of sensitive industrial control data, integrity of system configurations and software, and availability of critical automation processes. In industrial environments, such unauthorized privilege escalation can lead to sabotage, unauthorized control, or disruption of manufacturing and control operations. Organizations relying on CODESYS for automation and control are at risk of operational downtime, safety incidents, and potential regulatory non-compliance. The requirement for user interaction and local access limits remote exploitation but does not eliminate risk in environments where multiple users share systems or where attackers have gained initial footholds. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation once proof-of-concept code or weaponized exploits become available.

Until an official patch is released, organizations should implement strict local access controls to limit the ability of low-privileged users to interact with systems running the CODESYS Installer. Employ application whitelisting and endpoint protection to monitor and restrict unauthorized modifications to installer files or processes. Educate users to be cautious when confirming update or installation prompts, especially on shared or multi-user systems. Use least privilege principles to minimize the number of users with installation or update rights. Monitor system logs and audit trails for suspicious activity related to installer execution or privilege escalations. Consider isolating critical industrial control systems from general user environments to reduce local attack surfaces. Once patches become available, prioritize timely deployment and verify update integrity. Additionally, vendors and integrators should review installer code for race conditions and implement atomic operations or locking mechanisms to prevent TOCTOU vulnerabilities.