PatchSiren cyber security CVE debrief
CVE-2026-14480 OpenPLC CVE debrief
CVE-2026-14480 is an authenticated arbitrary file write vulnerability in OpenPLC Runtime v3's legacy web UI program-upload workflow. The application stores an attacker-supplied filename directly into the Programs.File database field and later uses this value as the destination path for an uploaded file without validating or restricting the path. This vulnerability allows an authenticated user to write arbitrary files anywhere writable by the OpenPLC webserver process, potentially leading to arbitrary native code execution. Operators of OpenPLC Runtime v3, particularly those in industrial control systems (ICS) environments, should be aware of this vulnerability and take immediate action to mitigate the risk. The CVE record was published on 2026-07-10T23:16:47.110Z and has not been modified since then.
- Vendor
- OpenPLC
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Operators of OpenPLC Runtime v3, particularly those in industrial control systems (ICS) environments, should be aware of this vulnerability. The vulnerability allows an authenticated user to write arbitrary files anywhere writable by the OpenPLC webserver process, potentially leading to arbitrary native code execution.
Technical summary
The vulnerability exists in the legacy web UI program-upload workflow of OpenPLC Runtime v3. An authenticated user can supply a filename that, when processed, allows writing arbitrary files. This can be exploited to write a malicious .cpp file into the OpenPLC runtime core directory, which can then be compiled into the executable runtime binary, leading to arbitrary native code execution. The application stores an attacker-supplied filename directly into the Programs.File database field and later uses this value as the destination path for an uploaded file without validating or restricting the path. Because Python os.path.join() honors attacker-controlled absolute paths, an authenticated user can write arbitrary files anywhere writable by the OpenPLC webserver process.
Defensive priority
High
Recommended defensive actions
- Immediately update OpenPLC Runtime v3 to a version that fixes this vulnerability.
- Implement compensating controls such as restricting access to the web UI and monitoring for suspicious file uploads.
- Conduct inventory checks to identify and patch vulnerable systems.
- Enhance monitoring and exception tracking to detect potential exploitation attempts.
- Review relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-10T23:16:47.110Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited details are available about the specific affected configurations and potential mitigations.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T23:16:47.110Z and has not been modified since then. The NVD entry is currently Received.