Cyber Posture

CVE-2025-41660

High

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0027 50.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41660 is a high-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Certvde (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SC-34 (Non-modifiable Executable Programs).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-34 Non-modifiable Executable Programs good match
prevent

Prevents low-privileged attackers from replacing the boot application by enforcing execution only from non-modifiable storage.

SI-7 Software, Firmware, and Information Integrity good match
preventdetect

Verifies the integrity of the boot application software and firmware to block or identify unauthorized replacements by attackers.

CM-5 Access Restrictions for Change good match
prevent

Restricts access to make changes to critical system components like the boot application, denying low-privileged remote attackers modification privileges.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows a low-privileged remote attacker to replace the boot application for unauthorized code execution, directly facilitating exploitation of remote services (T1210) and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution.

Deeper analysisAI

CVE-2025-41660 affects the CODESYS Control runtime system, where a low-privileged remote attacker can replace the boot application, enabling unauthorized code execution. Published on 2026-03-24, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-669.

A low-privileged remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation allows replacement of the boot application, resulting in unauthorized code execution with high impacts on confidentiality, integrity, and availability.

Mitigation guidance is available in the CERT VDE advisory at https://certvde.com/de/advisories/VDE-2026-011.

Details

CWE(s)
CWE-669

Affected Products

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-31431Shared CWE-669
CVE-2026-33265Shared CWE-669
CVE-2026-25253Shared CWE-669
CVE-2026-42997Shared CWE-669
CVE-2026-24708Shared CWE-669
CVE-2025-67895Shared CWE-669
CVE-2026-44599Shared CWE-669
CVE-2026-35545Shared CWE-669

References