CERT@VDE6h ago

#OT #Advisory VDE-2026-042
CODESYS Modbus TCP Server - Improper resource management

CODESYS Modbus is an add‑on for the CODESYS Development System that provides a fully integrated Modbus protocol stack along with diagnostic capabilities. A flaw in the CODESYS Modbus TCP Server protocol stack library results in a vulnerability. When a Modbus TCP server is configured, this vulnerable protocol stack is downloaded to and executed by CODESYS Control runtime systems.
#CVE CVE-2026-35227

https://certvde.com/en/advisories/vde-2026-042/

#CSAF https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-05_vde-2026-042.json

CODESYS Modbus TCP Server - Improper resource management

CERT@VDE6d ago

#OT #Advisory VDE-2026-005
ifm: Multiple Vulnerabilities in CR3171

The Firmware installed on the CR3171 is impacted by various CODESYS vulnerabilities.
#CVE CVE-2025-41659, CVE-2025-41691, CVE-2025-41658

https://certvde.com/en/advisories/vde-2026-005/

#CSAF https://ifm.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-005.json

ifm: Multiple Vulnerabilities in CR3171

CERT@VDEMay 4

#OT #Advisory VDE-2026-048
VEGA: Missing Authentication for critical function in VEGAPULS Bluetooth products

Vulnerable components expose sensitive information to unauthorized actors through an unsecured configuration interface. Vulnerable firmware releases contain an unsecured configuration interface that allows retrieval of sensitive information such as hashed credentials.
#CVE CVE-2026-3323

https://certvde.com/en/advisories/vde-2026-048/

#CSAF https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-048.json

VEGA: Missing Authentication for critical function in VEGAPULS Bluetooth products

CERT@VDEMay 4

#OT #Advisory VDE-2026-047
VEGA: Missing Authentication for critical function in VEGAPULS Air products

Vulnerable components expose sensitive information to unauthorized actors through an unsecured configuration interface. Vulnerable firmware releases contain an unsecured configuration interface that allows retrieval of sensitive information such as hashed credentials.
#CVE CVE-2026-3323

https://certvde.com/en/advisories/vde-2026-047/

#CSAF https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-047.json

VEGA: Missing Authentication for critical function in VEGAPULS Air products

CERT@VDEMay 4

#OT #Advisory VDE-2026-046
VEGA: Unsecured Configuration Interface Allows Unauthorized Access Leading to Privilege Escalation

Vulnerable components expose sensitive information to unauthorized actors through an unsecured configuration interface. Vulnerable firmware releases contain an unsecured configuration interface that allows retrieval of sensitive information such as hashed credentials.
#CVE CVE-2026-3323

https://certvde.com/en/advisories/vde-2026-046/

#CSAF https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-046.json

VEGA: Unsecured Configuration Interface Allows Unauthorized Access Leading to Privilege Escalation

vPierreMay 2
https://crates.io/crates/csaf-crud #csaf #linux #macos #vulnerability #rust
crates.io: Rust Package Registry

crates.io serves as a central registry for sharing crates, which are packages or libraries written in Rust that you can use to enhance your projects

CERT@VDEApr 23

#OT #Advisory VDE-2026-040
CODESYS EtherNetIP - Improper timeout handling

CODESYS EtherNet/IP is an add‑on for the CODESYS Development System that provides a fully integrated EtherNet/IP protocol stack along with diagnostic capabilities. A flaw in the EtherNet/IP adapter protocol stack library results in a vulnerability within the generated application code. When an EtherNet/IP adapter is configured, this vulnerable protocol stack is downloaded to and executed by CODESYS Control runtime systems.
#CVE CVE-2026-35225

https://certvde.com/en/advisories/vde-2026-040/
#oCSAF
#CSAF https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-04_vde-2026-040.json

CODESYS EtherNetIP - Improper timeout handling

CERT@VDEApr 23

#OT #Advisory VDE-2026-019
Pilz: Vulnerability affecting PASvisu Runtime

The PASvisu Runtime is affected by a vulnerability in a third-party component which can be exploited by malicious web requests.
#CVE CVE-2018-25193

https://certvde.com/en/advisories/vde-2026-019/

#CSAF https://pilz.csaf-tp.certvde.com/.well-known/csaf/white/2026/ppsa-2026-002.json

Pilz: Vulnerability affecting PASvisu Runtime

CERT@VDEApr 23

#OT #Advisory VDE-2026-029
METTLER TOLEDO: OpenSSL vulnerability in MX and MR balances

MX/MR firmware V2.0.0 or earlier is affected by the OpenSSL vulnerability CVE-2025-15467.
#CVE CVE-2025-15467

https://certvde.com/en/advisories/vde-2026-029/
#oCSAF
#CSAF https://mettler-toledo.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-029.json

METTLER TOLEDO: OpenSSL vulnerability in MX and MR balances

Bernhard E. ReiterApr 23

"The Common Security Advisory Framework (#CSAF) is an effective and efficient means by which manufacturers can communicate their recommendations for action on vulnerabilities."

writes the Institute for Occupational Safety and Health (a main department of the German Social Accident Insurance) here:

https://www.dguv.de/ifa/fachinfos/industrial-security/csaf/index-2.jsp

further
"New EU regulations place greater responsibility on manufacturers of products with digital elements.

For example, Article 14 (8) of the Cyber Resilience Act (CRA) sets out "reporting obligations of manufacturers", together with strict deadlines."

Note that https://www.csaf.io/specification/ version 2.1 is available as "Committee Specification Draft 02" since a few weeks. The technical committee welcomes comments!

IFA - Technical Information - Industrial Security - CSAF

The Common Security Advisory Framework (CSAF) is an effective and efficient means by which manufacturers can communicate their recommendations for action on vulnerabilities. Graphical interfaces for use with CSAF, such as Secvisogram (available free of charge), facilitate input and maintenance of data in compliance with the standard.