CVE-2026-44469

Vulnerability

CODESYS Development System versions prior to the fix contain two related vulnerabilities in the PackageManager and IPM components. During administrative installation, these components extract files to a temporary directory with incorrect default permissions. This insecure permission setting allows any local user to read, modify, or delete files within that directory. A Time-of-Check to Time-of-Use (TOCTOU) race condition arises because the system checks file integrity before placing it in the temporary directory but does not lock the directory against modifications during the subsequent installation phase. Affected versions are those before the patch released on 2026-05-26 [1].

Exploitation

An attacker must have low-privileged local access to the system. The exploitation involves monitoring the temporary directory for the appearance of a digitally verified installation file. Once detected, the attacker must replace that file with a malicious one within a practical time window before the installer uses it. The race window exists because there is a gap between the verification step and the actual installation step. The attacker can repeatedly attempt the race until successful [1].

Impact

Successful exploitation results in local privilege escalation. Since the installation process runs with elevated administrative privileges, the attacker's malicious file is installed with SYSTEM or Administrator privileges, granting the attacker full control over the affected system. This compromises the confidentiality, integrity, and availability of the system [1].

Mitigation

The vendor has released a fix on 2026-05-26. Users should update CODESYS Development System to the latest version. No workaround is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) as of the publication date [1].