{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2364", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2026-02-11T18:46:15.172Z", "datePublished": "2026-03-10T07:22:42.658Z", "dateUpdated": "2026-03-10T16:51:59.328Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CODESYS Installer", "vendor": "CODESYS", "versions": [{"lessThan": "2.6.1.0", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David Ruscheweyh from SEW-EURODRIVE GmbH & Co KG"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer.<br>"}], "value": "If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-03-10T07:22:42.658Z"}, "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-012"}], "source": {"advisory": "VDE-2026-012", "defect": ["CERT@VDE#641953"], "discovery": "UNKNOWN"}, "title": "CODESYS Installer TOCTOU Privilege Escalation", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:39:49.202345Z", "id": "CVE-2026-2364", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:51:59.328Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T15:39:49.202345Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:39:50.280Z"}}], "cna": {"title": "CODESYS Installer TOCTOU Privilege Escalation", "source": {"defect": ["CERT@VDE#641953"], "advisory": "VDE-2026-012", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David Ruscheweyh from SEW-EURODRIVE GmbH & Co KG"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CODESYS", "product": "CODESYS Installer", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.6.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-012"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer.", "supportingMedia": [{"type": "text/html", "value": "If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-03-10T07:22:42.658Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2364", "state": "PUBLISHED", "dateUpdated": "2026-03-10T16:51:59.328Z", "dateReserved": "2026-02-11T18:46:15.172Z", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "datePublished": "2026-03-10T07:22:42.658Z", "assignerShortName": "CERTVDE"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer."}], "id": "CVE-2026-2364", "lastModified": "2026-03-11T13:53:47.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "info@cert.vde.com", "type": "Primary"}]}, "published": "2026-03-10T17:39:29.587", "references": [{"source": "info@cert.vde.com", "url": "https://certvde.com/de/advisories/VDE-2026-012"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "info@cert.vde.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.6.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CODESYS Installer", "source": "cna", "vendor": "CODESYS"}, "product": "codesys_installer", "vendor": "codesys"}], "analysis": {"en": {"generated_at": "2026-04-17T11:46:56.499415+00:00", "value": {"mitigation_remediation": ["Obtain and install the latest CODESYS Installer update that addresses the TOCTOU vulnerability.", "Disable automatic self\u2011update prompts so the user must manually approve any installation changes.", "Restrict local user privileges to prevent unprivileged accounts from running the installer or initiating updates.", "Review and apply vendor guidance to eliminate race conditions (CWE-367) by ensuring atomic checks during the installation process."], "summary": {"action": "Patch Now", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The advisory lists the CODESYS Installer as the affected component. No specific version numbers are provided, so all installations that rely on the current installer may be vulnerable unless a patch is applied. Users who trigger the self\u2011update prompt or start the installer are at risk.", "description_and_impact": "This vulnerability arises from a time\u2011of\u2011check to time\u2011of\u2011use race condition in the CODESYS Installer. When a legitimate user elects to update the CODESYS Development System or launches the installer, a low\u2011privileged local user can interleave actions to trick the installer into executing with elevated rights. The flaw permits an attacker to elevate privileges on the affected system.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high\u2011severity local privilege escalation, but the EPSS score is less than 1\u202f% and the flaw is not in the CISA KEV catalog, pointing to a low likelihood of widespread exploitation. The attack requires local presence and the ability to confirm a self\u2011update prompt or initiate installation, which limits the attacker\u2019s opportunities. If successfully exploited, the attacker could compromise the host."}}}}, "created": "2026-03-10T14:06:02.774330+00:00", "updated": "2026-04-17T12:00:11.722843+00:00", "vendors": ["codesys", "codesys$PRODUCT$codesys_installer"]}