01 · The Real Story
This is more like one operator seeing the next person’s badge swipe than a burglar kicking in the plant gate
CVE-2026-0393 affects CODESYS Visualization versions >= 1.0.0.0 and < 4.10.0.0. During concurrent login activity inside an active visualization session, authentication data may not be properly isolated, so one low-privileged visualization user can end up seeing another user’s credentials. This is a credential exposure flaw, not code execution, and it is bounded to the visualization login workflow rather than the controller runtime as a whole.
Reality check: the public description itself narrows this hard. The attacker already needs remote access plus a low-privileged visualization account, the victim has to be logging in at the same time, and the issue only appears within an active visualization session. That keeps this out of HIGH despite the obvious sensitivity of passwords; the CNA's medium-style framing is directionally right, and the real-world score belongs in the middle of the pack, not at the top.
"Assessed at MEDIUM: real confidentiality impact, but the exploit chain is cramped, post-auth, and timing-dependent"
02 · The Attack Path
4 steps from start to impact.
STEP 01
Land a low-privileged visualization account
The attacker first needs valid access to the CODESYS visualization surface, typically WebVisu/HMI access over the network. In practice this is a post-initial-access or insider step: they are not breaking in from zero, they are abusing an already valid low-priv visualization identity. Weaponized tool: ordinary browser login or a scripted client such as Playwright/Selenium; no public exploit kit was found.
Conditions required:
- Network reachability to the visualization interface
- A valid low-privileged visualization user account
- Target deployment actually uses CODESYS Visualization login controls
Where this breaks in practice:
- Many CODESYS HMIs are internal to OT segments rather than broadly internet-exposed
- Identity provisioning for visualization users is often narrower than plant-wide operator access
- MFA, jump hosts, VPNs, or workstation restrictions may block cheap remote abuse before the app is even reached
Detection/coverage: Generic vuln scanners are unlikely to validate this safely because it depends on session timing and concurrent logins. Detection is better via access logs showing repeated login attempts from one visualization account across multiple sessions.
STEP 02
Race a second user during login
The attacker then waits for or induces a second user to perform a login while the attacker's own visualization session is active. A custom automation loop can repeatedly open, refresh, or submit the login dialog to increase the odds of colliding with another user's authentication flow. Weaponized tool: browser automation plus Burp Suite or an equivalent HTTP repeater to observe responses and state transitions.
Conditions required:
- Another visualization user logs in concurrently
- Both sessions interact with the vulnerable login handling path
- The attacker can maintain an active visualization session long enough to catch the race
Where this breaks in practice:
- This is a narrow timing window, not a deterministic one-shot exploit
- Plants with low interactive HMI churn may rarely produce the needed concurrency
- Single-user stations or kiosks sharply reduce the chance of overlap
Detection/coverage: Look for clustered login POSTs, rapid reauthentication loops, or repeated dialog openings from the same source during normal operator shifts. App-layer telemetry is far more useful than network IDS signatures here.
STEP 03
Capture leaked credentials
If the race succeeds, insufficient isolation of authentication data can expose another user's credentials to the attacker. The most likely practical harvest point is the client-side session state, HTTP response flow, or transient login handling visible to the attacker's session tooling. Weaponized tool: browser developer tools, proxy capture, or a custom session scraper; no public PoC repository was identified.
Conditions required:
- The vulnerable version is present
- The race condition is successfully triggered
- Returned or shared authentication data is observable to the attacker's session
Where this breaks in practice:
- The flaw is limited to confidentiality and only during the login operation
- No evidence was found of a turnkey public exploit or scanner check
- If credentials are short-lived, rotated, or scoped only to visualization roles, downstream value drops
Detection/coverage: There is little signature-friendly network content to key on without decrypting application traffic. Compensating detection is login anomaly monitoring: same-source follow-on logins under different usernames shortly after repeated concurrency attempts.
STEP 04
Replay the victim identity inside HMI workflows
With the stolen credentials, the attacker can authenticate as the second user and inherit whatever visualization or supervisory permissions that account has. In a real plant this can mean broader HMI visibility, acknowledgement actions, or workflow abuse, but not automatic controller compromise. Weaponized tool: normal browser session reuse; this is credential replay, not memory corruption or RCE.
Conditions required:
- Stolen credentials remain valid
- The victim account has permissions worth stealing
- The environment allows another session or does not alert on simultaneous logins
Where this breaks in practice:
- Blast radius is bounded by the victim account's role
- Segmentation between HMI and control functions may contain the impact
- Account lockout, concurrent-session controls, or operator monitoring may expose replay quickly
Detection/coverage: Strongest signal is impossible travel within the OT environment, concurrent sessions for one user, or rapid role changes from a formerly low-value account to a higher-value operator identity.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No public evidence of active exploitation found, and not listed in CISA KEV as of the current catalog review on CISA KEV. |
|---|---|
| Public exploit / PoC | No public PoC repo or exploit module was found in the reviewed sources. This currently looks like a custom browser-automation race rather than a commodity exploit. |
| EPSS | 0.0005 from the provided intel, which is effectively floor-level probability; FIRST describes EPSS as a 30-day exploitation likelihood model on FIRST EPSS. Percentile was not authoritatively retrievable from reviewed primary sources. |
| KEV status | No; not present in the Known Exploited Vulnerabilities Catalog. |
| CVSS vector meaning | CNA/NVD display CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N on NVD: network reachable, low privileges required, passive user interaction/timing needed, and impact is mainly credential confidentiality. |
| Affected versions | Publicly listed as CODESYS Visualization >= 1.0.0.0 and < 4.10.0.0 in the vulnerability record surfaced by Vulnerability-Lookup/CIRCL. |
| Fixed version | Patch line appears to be 4.10.0.0, which released on 2026-05-21 per the CODESYS Visualization release page. |
| Exposure reality | CODESYS documents that WebVisu supports remote access and can be used over the Internet on the official help page, so exposure is possible. But real exploitability still depends on the visualization surface being reachable and on the attacker already holding a valid low-privileged user account. |
| Disclosure date | Published 2026-05-21 in NVD and the CERT@VDE/CODESYS advisory stream. |
| Reporter / advisory authority | Assigned and published via CERT@VDE / CERTVDE with CODESYS advisory reference VDE-2026-052 in the CSAF advisory. Public reporting credit was not identified in the reviewed materials. |
04 · The Call
noisgate verdict.
Final Verdict
= UNCHANGED to MEDIUM (4.9/10)
The decisive downdraft here is the attacker position requirement: this is not an unauthenticated edge exploit, it starts with a valid low-privileged visualization user already inside the app. From there the exploit still depends on a concurrent-login race and only yields whatever the victim account can reach, which caps the exposed population and blast radius.
HIGH Exploit preconditions are materially limiting: authenticated remote plus concurrent victim login
MEDIUM Version range and patch floor at 4.10.0.0
MEDIUM Population exposure estimate, because public internet-facing counts were not authoritatively available
Why this verdict
- ASSESSED AT MEDIUM: this starts from a constrained post-auth position, not an unauthenticated internet edge foothold.
- Concurrency is real friction: the attacker needs another user to be logging in during an active visualization session, which is a timing dependency that will fail often in normal deployments.
- Blast radius is role-bounded: even successful theft only buys the victim user's visualization permissions, not automatic controller RCE or domain-wide compromise.
- Threat telemetry is cold: no KEV listing, no public exploitation evidence, and an EPSS of 0.0005 all push this down from the top queue.
- Exposure is not universal: WebVisu can be remote-facing, but many enterprises keep HMI access inside OT segments or behind VPN/jump infrastructure, shrinking reachable population.
Why not higher?
To justify HIGH, this would need either a broader reachable population or a cleaner exploit chain. Instead it requires authenticated remote access, an active session, and a concurrent victim login, then lands as credential theft inside the same application boundary rather than code execution or direct controller takeover.
Why not lower?
This still exposes credentials, which is a serious primitive in operational environments because operators and supervisors often share overlapping HMI authority. If the stolen account is more privileged than the attacker's starting account, the practical impact can move from mere information leakage to unauthorized supervisory actions, so this is not backlog-only hygiene.
05 · Compensating Control
What to do — in priority order.
- Restrict visualization reachability — Put WebVisu/HMI access behind VPN, jump hosts, or plant-management enclaves so the vulnerable login path is not broadly reachable. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this control is worth applying early on any externally reachable or contractor-accessible deployment.
- Reduce shared low-priv accounts — Eliminate generic visualization users and force named accounts wherever possible; that raises accountability and reduces the number of attacker starting identities that satisfy the prerequisite. There is no mitigation SLA for MEDIUM, so treat this as opportunistic hardening while patching within the remediation window.
- Alert on concurrent session anomalies — Monitor for repeated login attempts, multiple sessions from the same user, or fast reuse of different usernames from one source. This will not prevent the bug, but it gives you the best chance to catch the race/replay pattern before it becomes an unauthorized operator session.
- Apply least privilege to visualization roles — Revisit what low-priv and operator visualization accounts are actually allowed to do, because the whole impact model depends on the victim account being more useful than the attacker account. Tight role scoping reduces the value of any captured password even if you cannot patch immediately.
What doesn't work
- A WAF alone is not a reliable answer, because this is a legitimate authenticated workflow with timing/state issues rather than a neat malicious payload pattern.
- Pure network IDS signatures will miss most of the useful signal; the exploit looks like normal login traffic unless you have application context.
- Generic password complexity policies do not fix credential cross-exposure. Stronger passwords help after theft, not during the vulnerable isolation failure.
06 · Verification
Crowdsourced verification payload.
Run this on an auditor workstation, CI job, or asset-inventory host, not necessarily on the target controller. Invoke it as python3 check_cve_2026_0393.py 4.9.1.0 using the installed CODESYS Visualization version from your software inventory or package manifest; no administrative privileges are required.
#!/usr/bin/env python3
# check_cve_2026_0393.py
# Exit codes:
# 0 = PATCHED
# 1 = VULNERABLE
# 2 = UNKNOWN
import re
import sys
AFFECTED_MIN = (1, 0, 0, 0)
FIXED = (4, 10, 0, 0)
def parse_version(v):
if not v:
return None
m = re.fullmatch(r"\s*(\d+)\.(\d+)\.(\d+)\.(\d+)\s*", v)
if not m:
return None
return tuple(int(x) for x in m.groups())
def main():
if len(sys.argv) != 2:
print("UNKNOWN: usage: python3 check_cve_2026_0393.py <version>")
sys.exit(2)
raw_version = sys.argv[1]
version = parse_version(raw_version)
if version is None:
print(f"UNKNOWN: could not parse version '{raw_version}' (expected format like 4.9.1.0)")
sys.exit(2)
if version < AFFECTED_MIN:
print(f"UNKNOWN: version {raw_version} is below the published affected floor {'.'.join(map(str, AFFECTED_MIN))}")
sys.exit(2)
if version < FIXED:
print(f"VULNERABLE: CODESYS Visualization {raw_version} is affected by CVE-2026-0393; fixed in {'.'.join(map(str, FIXED))} and later")
sys.exit(1)
print(f"PATCHED: CODESYS Visualization {raw_version} is at or above the fixed version {'.'.join(map(str, FIXED))}")
sys.exit(0)
if __name__ == "__main__":
main()
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, pull an inventory of every CODESYS Visualization instance below 4.10.0.0, then separate internet-reachable or contractor-reachable WebVisu deployments from purely internal OT HMIs. For this MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window, but you should still tighten reachability and named-account use on exposed/shared stations first, then complete the actual upgrade to 4.10.0.0 or later within 365 days per the noisgate remediation SLA; if you find an externally reachable multi-user HMI, don't wait for the end of that window—slot it into the next practical maintenance event.
Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.