Cyber Resilience

CVE-2025-41660

High

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0043 34.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-41660 is a high-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Certvde (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SC-34 (Non-modifiable Executable Programs).

Deeper analysis

CVE-2025-41660 affects the CODESYS Control runtime system, where a low-privileged remote attacker can replace the boot application, enabling unauthorized code execution. Published on 2026-03-24, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-669.

A low-privileged remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation allows replacement of the boot application, resulting in unauthorized code execution with high impacts on confidentiality, integrity, and availability.

Mitigation guidance is available in the CERT VDE advisory at https://certvde.com/de/advisories/VDE-2026-011.

EU & UK References

Vulnerability details

A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability allows a low-privileged remote attacker to replace the boot application for unauthorized code execution, directly facilitating exploitation of remote services (T1210) and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31431Shared CWE-669
CVE-2026-24708Shared CWE-669
CVE-2026-42997Shared CWE-669
CVE-2026-44599Shared CWE-669
CVE-2026-25253Shared CWE-669
CVE-2026-35545Shared CWE-669
CVE-2025-67895Shared CWE-669
CVE-2026-33265Shared CWE-669

Affected Assets

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Prevents low-privileged attackers from replacing the boot application by enforcing execution only from non-modifiable storage.

preventdetect

Verifies the integrity of the boot application software and firmware to block or identify unauthorized replacements by attackers.

prevent

Restricts access to make changes to critical system components like the boot application, denying low-privileged remote attackers modification privileges.

References