PatchSiren cyber security CVE debrief
CVE-2026-44469 CODESYS CVE debrief
A local privilege escalation vulnerability exists due to insecure temporary directory permissions during administrative installation. The affected product extracts installation files to a temporary directory with incorrect default permissions, creating a Time-of-Check to Time-of-Use (TOCTOU) race condition. A low-privileged local attacker can exploit this with a practical time window to replace verified files with malicious versions before installation completes. The vulnerability is classified as CWE-276 (Incorrect Default Permissions) and carries a HIGH severity CVSS 4.0 score of 8.5. The attack requires local access and low privileges but no user interaction, with high impact on confidentiality, integrity, and availability of the affected system.
- Vendor
- CODESYS
- Product
- CODESYS Development System
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
System administrators managing multi-user environments, security teams responsible for endpoint protection, and organizations with strict privilege separation requirements should prioritize assessment. The practical exploitability window and low privilege requirements make this particularly relevant for shared workstation environments, development systems, and any infrastructure where low-privileged users coexist with administrative software deployment processes.
Technical summary
The vulnerability stems from a TOCTOU (Time-of-Check to Time-of-Use) race condition in the installation process. During administrative installation, files are extracted to a temporary directory with overly permissive default settings. The window between file verification and actual installation execution is sufficiently large to be practically exploitable. A local attacker with low privileges can monitor this temporary directory, replace verified files with malicious equivalents after verification but before use, and achieve privilege escalation when the installation proceeds with the substituted files. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) indicates local attack vector, low attack complexity, no attack triggers required, low privileges required, no user interaction needed, with high impact across confidentiality, integrity, and availability vectors.
Defensive priority
HIGH
Recommended defensive actions
- Restrict local user access to installation processes and temporary directories on affected systems
- Monitor for suspicious file operations in system temporary directories during software installation windows
- Apply vendor patches when available from CERT@VDE advisory source
- Review and harden temporary directory permissions for administrative installation workflows
- Implement file integrity monitoring for critical installation binaries
Evidence notes
Vulnerability disclosed via CERT@VDE advisory VDE-2026-055. CVSS 4.0 vector confirms local attack vector with low attack complexity. NVD status shows 'Awaiting Analysis' as of disclosure date. Vendor identification marked as low confidence requiring review—'Certvde' detected as reference domain candidate.
Official resources
-
CVE-2026-44469 CVE record
CVE.org
-
CVE-2026-44469 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26