CVE-2026-28205 OpenPLC_V3 CVE debrief

Who should care

Organizations operating OpenPLC_V3 in industrial control or building automation environments, OT security teams, and asset owners responsible for PLC runtime security.

Technical summary

CVE-2026-28205 affects OpenPLC_V3, an open-source programmable logic controller runtime. The vulnerability stems from insecure default initialization of a resource, allowing an unauthenticated attacker to bypass authentication and gain system access via the API. The CVSS 3.1 score of 8.9 reflects network attack vector, high attack complexity, no privileges required, no user interaction, and changed scope with low confidentiality, high integrity, and high availability impact. OpenPLC_v3 is now end-of-life; users should upgrade to OpenPLC Runtime v4.

Defensive priority

HIGH

Recommended defensive actions

• Migrate from OpenPLC_v3 to OpenPLC Runtime v4 as the v3 branch is end-of-life and will not receive security updates.
• Review and harden API authentication configurations on any remaining OpenPLC_v3 instances prior to migration.
• Apply network segmentation and access controls to limit exposure of OpenPLC management interfaces.
• Monitor ICS-CERT and CISA advisories for additional guidance on industrial control system security practices.

Evidence notes

CISA ICS advisory ICSA-25-345-10 (Update A, 2026-04-09) confirms OpenPLC_v3 is end-of-life and documents the insecure default leading to authentication bypass. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H yields base score 8.9 (HIGH).

Official resources