VYPR
advisoryPublished Jul 9, 2026· 1 source

Critical Vulnerability in End-of-Life OpenPLC v3 Allows Arbitrary Code Execution

A critical vulnerability in the end-of-life OpenPLC v3 industrial control system software allows authenticated attackers to achieve arbitrary code execution.

CISA has issued an advisory detailing a critical vulnerability, CVE-2026-14480, affecting OpenPLC v3, an open-source platform for programmable logic controllers. The vulnerability resides within the legacy web UI's program-upload workflow and permits an authenticated attacker to write arbitrary files to the filesystem. This capability can be escalated to achieve arbitrary native code execution by overwriting core C++ source files and triggering the program compilation process.

The exploitation chain begins with an authenticated user leveraging the program-upload feature. The application's handling of the prog_file parameter, which is directly stored in the Programs.File database field, lacks proper validation. This allows an attacker to supply malicious file paths, including absolute paths, which are then used by the Python os.path.join() function to write files to any location writable by the OpenPLC webserver process. This initial arbitrary file write is the precursor to gaining deeper system control.

Once an attacker can write arbitrary files, they can target the OpenPLC runtime's build pipeline. In the default configuration, all C++ source files within the runtime core directory are automatically compiled into the executable runtime binary. By strategically placing a malicious .cpp file within this directory, an attacker can ensure their code is incorporated into the runtime.

The escalation to arbitrary native code execution occurs when an operator initiates a normal program compilation and runtime start. This process will compile the attacker's malicious C++ source file, effectively embedding their code into the OpenPLC runtime. The consequence is that the attacker's code will execute with the privileges of the OpenPLC runtime user, potentially leading to full system compromise.

OpenPLC v3 is considered end-of-life and is no longer receiving security updates, patches, or bug fixes. The vendor strongly advises users to upgrade to OpenPLC v4 to mitigate this and other potential risks. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) and a CVSS v4.0 score of 8.7 (High).

CISA recommends that organizations minimize network exposure for all control system devices and networks, ensuring they are not accessible from the internet. Isolating control system networks behind firewalls and using secure remote access methods like VPNs are crucial defensive measures. Organizations should also perform thorough impact and risk assessments before deploying any defensive strategies.

While no public exploitation of this specific vulnerability has been reported to CISA at this time, the critical nature of the flaw and the end-of-life status of the affected software highlight the urgent need for migration. The vulnerability affects OpenPLC v3 across various critical infrastructure sectors, including Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater, with worldwide deployment.

This advisory serves as a stark reminder of the risks associated with using unsupported software in industrial environments. The ability for an authenticated user to gain arbitrary code execution, especially in critical infrastructure, poses a significant threat that requires immediate attention and remediation through upgrading to supported versions.

Synthesized by Vypr AI