Cyber Posture

CVE-2026-3509

High

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 29.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3509 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Certvde (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the format string vulnerability in the CODESYS Audit Log by identifying, reporting, and applying patches to prevent exploitation.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes unauthenticated remote inputs to the Audit Log component to block format string manipulation leading to DoS.

SC-5 Denial-of-service Protection good match
prevent

Protects against or limits the impact of DoS conditions caused by format string exploits in the Audit Log processing.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated network exploitation of the format string flaw in the exposed CODESYS runtime directly enables T1190 (Exploit Public-Facing Application) and produces availability impact via T1499.004 (Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.

Deeper analysisAI

CVE-2026-3509 is a format string vulnerability (CWE-134) affecting the Audit Log component of the CODESYS Control runtime system. Published on 2026-03-24, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue allows an unauthenticated remote attacker to control the format string of messages processed by the Audit Log.

An unauthenticated attacker with network access to the vulnerable system can exploit this flaw with low complexity and no user interaction required. Successful exploitation results in a denial-of-service (DoS) condition, disrupting the availability of the affected CODESYS Control runtime system.

Mitigation details are provided in the advisory VDE-2026-018 from CERT VDE, available at https://certvde.com/de/advisories/VDE-2026-018.

Details

CWE(s)
CWE-134

Affected Products

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-40600Shared CWE-134
CVE-2026-33210Shared CWE-134
CVE-2024-45324Shared CWE-134
CVE-2025-30269Shared CWE-134
CVE-2025-46121Shared CWE-134
CVE-2026-22190Shared CWE-134
CVE-2024-12805Shared CWE-134
CVE-2025-55298Shared CWE-134
CVE-2023-53966Shared CWE-134
CVE-2025-68648Shared CWE-134

References