CVE-2026-35556 OpenPLC_V3 CVE debrief

Who should care

Organizations operating industrial control systems with OpenPLC_v3 deployments, particularly those in critical infrastructure sectors where PLC security affects physical processes. Priority should be given to internet-facing or poorly segmented installations.

Technical summary

OpenPLC_V3 stores passwords in plaintext, enabling attackers with file system or backup access to recover credentials and gain unauthorized access to the runtime environment. The vulnerability is rated CVSS 3.1 8.1 (High) with attack vector Network, attack complexity High, and impacts Confidentiality, Integrity, and Availability. No patches are available as the product is end-of-life; migration to OpenPLC Runtime v4 is the prescribed remediation.

Defensive priority

HIGH

Recommended defensive actions

• Migrate from OpenPLC_v3 to OpenPLC Runtime v4 as the affected version is end-of-life with no security patches available.
• Audit systems for any remaining OpenPLC_v3 deployments and prioritize replacement based on exposure to untrusted networks.
• Review and rotate any credentials that may have been stored or transmitted by OpenPLC_v3 instances.
• Apply network segmentation and access controls to limit exposure of remaining OpenPLC_v3 instances until migration is complete.
• Monitor for unauthorized access attempts targeting OpenPLC_v3 administrative interfaces.

Evidence notes

CISA published ICSA-25-345-10 on 2025-12-11 and updated it on 2026-04-09 (Update A) to revise mitigations and add CVE references. The advisory confirms OpenPLC_v3 is end-of-life and recommends upgrading to OpenPLC Runtime v4. SSVC scoring indicates Exploitation: None, Automatable: No.

Official resources