Cyber Resilience

CVE-2026-3509

High

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 30.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3509 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Certvde (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3509 is a format string vulnerability (CWE-134) affecting the Audit Log component of the CODESYS Control runtime system. Published on 2026-03-24, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue allows an unauthenticated remote attacker to control the format string of messages processed by the Audit Log.

An unauthenticated attacker with network access to the vulnerable system can exploit this flaw with low complexity and no user interaction required. Successful exploitation results in a denial-of-service (DoS) condition, disrupting the availability of the affected CODESYS Control runtime system.

Mitigation details are provided in the advisory VDE-2026-018 from CERT VDE, available at https://certvde.com/de/advisories/VDE-2026-018.

EU & UK References

Vulnerability details

An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated network exploitation of the format string flaw in the exposed CODESYS runtime directly enables T1190 (Exploit Public-Facing Application) and produces availability impact via T1499.004 (Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-40600Shared CWE-134
CVE-2026-33210Shared CWE-134
CVE-2024-45324Shared CWE-134
CVE-2024-12805Shared CWE-134
CVE-2025-30269Shared CWE-134
CVE-2026-22190Shared CWE-134
CVE-2025-64157Shared CWE-134
CVE-2025-55298Shared CWE-134
CVE-2025-46121Shared CWE-134
CVE-2023-53966Shared CWE-134

Affected Assets

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the format string vulnerability in the CODESYS Audit Log by identifying, reporting, and applying patches to prevent exploitation.

prevent

Validates and sanitizes unauthenticated remote inputs to the Audit Log component to block format string manipulation leading to DoS.

prevent

Protects against or limits the impact of DoS conditions caused by format string exploits in the Audit Log processing.

References