OpenPLC_V3 contains a Plaintext Storage of a Password vulnerability (CWE-256) that allows credential retrieval and unauthorized access to sensitive information. The product is now end-of-life with no patches planned; CISA directs users to migrate to OpenPLC Runtime v4.
OpenPLC_V3 contains a broken access control vulnerability in its REST API. The endpoint validates JWT presence but fails to verify the caller's role, allowing any authenticated user with role=user to delete arbitrary users (including administrators) by user ID or create new accounts with role=admin, achieving full administrative access. The vulnerability was initially published on 2025-12-11 and updated o [truncated]
OpenPLC_V3 contains an insecure default configuration vulnerability (CWE-1188) that enables authentication bypass via API access. The product is end-of-life; CISA recommends migrating to OpenPLC Runtime v4.
CVE-2025-13970 is a cross-site request forgery (CSRF) vulnerability in OpenPLC_V3, published by CISA on 2025-12-11 and updated on 2026-04-09. The vulnerability exists due to absent CSRF validation, allowing unauthenticated attackers to trick authenticated administrators into executing unauthorized actions via maliciously crafted links. Successful exploitation could result in unauthorized modification of P [truncated]
CVE-2025-54811 affects OpenPLC_V3 and was publicly disclosed by CISA on 2025-09-30. The advisory says a flaw in enipThread can lead to a crash when the server loop ends and execution reaches an illegal ud2 instruction, resulting in denial of service for the PLC runtime.