CVE-2026-2364 PUBLISHED

CODESYS Installer TOCTOU Privilege Escalation

Assigner: CERTVDE
Reserved: 11.02.2026 Published: 10.03.2026 Updated: 10.03.2026

If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 7.3

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	CODESYS
Product	CODESYS Installer
Versions	Default: unaffected affected from 0.0.0 to 2.6.1.0 (excl.)

Credits

David Ruscheweyh from SEW-EURODRIVE GmbH & Co KG finder

References

https://certvde.com/de/advisories/VDE-2026-012

Problem Types

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition CWE