CVE-2026-3509 is a vulnerability classified under CWE-134 (Use of Externally-Controlled Format String) affecting the CODESYS Control Runtime Environment (RTE) for the SL platform, specifically version 3.5.17.0. The flaw arises because the Audit Log component processes messages with format strings that can be externally controlled by an attacker without authentication. This allows a remote attacker to craft malicious input that manipulates the format string processing, potentially triggering a denial-of-service (DoS) condition by causing the runtime system to crash or become unstable. The vulnerability is exploitable remotely over the network without any privileges or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and impact on availability, although confidentiality and integrity remain unaffected. The vulnerability was published on March 24, 2026, and no known exploits have been reported in the wild. No patches have been released at the time of this report, so mitigation relies on network-level controls and monitoring. CODESYS is widely used in industrial automation and control systems, making this vulnerability particularly relevant to critical infrastructure and manufacturing sectors.

The primary impact of CVE-2026-3509 is a denial-of-service condition that can disrupt the availability of industrial control systems running CODESYS Control RTE (SL). This can lead to operational downtime, loss of process control, and potential safety risks in industrial environments. Since the vulnerability does not affect confidentiality or integrity, data theft or manipulation is not a direct concern. However, the disruption of availability in critical infrastructure such as manufacturing plants, energy production, or water treatment facilities can have significant economic and safety consequences. The ease of remote exploitation without authentication increases the likelihood of opportunistic attacks, especially in environments with exposed or poorly segmented networks. Organizations relying on CODESYS for automation may face operational interruptions, increased incident response costs, and reputational damage if exploited.

1. Immediately restrict network access to the CODESYS Control RTE (SL) systems by implementing strict firewall rules and network segmentation to isolate these devices from untrusted networks. 2. Monitor network traffic and system logs for unusual or malformed messages targeting the Audit Log functionality to detect potential exploitation attempts. 3. Disable or limit remote access to the affected runtime system where possible until a vendor patch is available. 4. Engage with CODESYS vendor support to obtain information on patch availability and apply updates promptly once released. 5. Implement intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics tailored to detect format string attack patterns against CODESYS components. 6. Conduct regular security assessments and penetration testing focused on industrial control systems to identify and remediate similar vulnerabilities. 7. Educate operational technology (OT) personnel about the risks of unauthenticated remote attacks and the importance of network hygiene in industrial environments.