CVE-2026-3509 is a vulnerability identified in the CODESYS Control RTE (SL) runtime system, specifically version 3.5.17.0. The flaw is classified under CWE-134, which involves the use of externally-controlled format strings. In this case, an unauthenticated remote attacker can manipulate the format string parameters processed by the Audit Log component of the runtime. Format string vulnerabilities occur when user-supplied input is unsafely used as a format string in functions like printf, leading to unexpected behavior such as memory corruption or crashes. Here, the attacker’s control over the format string can cause the runtime system to enter a denial-of-service state by crashing or hanging, thus disrupting the availability of the control system. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting high severity due to its network attack vector, lack of required privileges or user interaction, and its impact on availability. No confidentiality or integrity impact is noted. The vulnerability was published on March 24, 2026, with no known exploits in the wild and no patches currently available. CODESYS Control RTE is widely used in industrial automation and control systems, making this vulnerability a significant concern for critical infrastructure and manufacturing environments. The lack of authentication requirement and remote exploitability increase the risk profile, emphasizing the need for immediate defensive measures.

The primary impact of CVE-2026-3509 is a denial-of-service condition in industrial control systems running the affected CODESYS Control RTE version. This can lead to operational downtime, disruption of automated processes, and potential safety risks in environments relying on continuous control system availability. Since the vulnerability does not affect confidentiality or integrity, data theft or manipulation is not a direct concern. However, the loss of availability in critical infrastructure such as manufacturing plants, energy grids, or transportation systems can have cascading effects, including financial losses, safety incidents, and reputational damage. The ease of exploitation—requiring no authentication or user interaction—means attackers can potentially launch attacks remotely with minimal effort. Organizations with large deployments of CODESYS Control RTE are at risk of widespread disruption if this vulnerability is exploited at scale. The absence of patches increases the window of exposure, necessitating proactive mitigation to maintain operational continuity.

1. Network Segmentation: Isolate CODESYS Control RTE systems from general IT networks and restrict access to trusted management networks only. 2. Access Controls: Implement strict firewall rules and access control lists (ACLs) to limit inbound connections to the runtime system, allowing only authorized IP addresses and protocols. 3. Input Validation and Monitoring: Although the vulnerability is in the runtime, monitor audit log inputs and network traffic for anomalous or suspicious format string patterns that could indicate exploitation attempts. 4. Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS solutions with signatures or heuristics to detect attempts to exploit format string vulnerabilities targeting CODESYS systems. 5. Vendor Coordination: Engage with CODESYS vendor support to obtain patches or workarounds as soon as they become available and apply them promptly. 6. Incident Response Preparedness: Develop and test incident response plans specific to industrial control system DoS scenarios to minimize downtime and recovery time. 7. System Hardening: Disable or restrict audit log features if feasible, or configure logging to minimize exposure to externally-controlled inputs until a patch is released. 8. Regular Updates: Maintain up-to-date inventories of affected systems and monitor security advisories for new developments related to this CVE.