CVE-2021-21867

Name of the Vulnerable Software and Affected Versions CODESYS Development System versions 3.5.16 through 3.5.17

Description An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

Recommendations For versions 3.5.16 and 3.5.17, consider disabling the ObjectStream.ProfileByteArray functionality in the ObjectManager.plugin as a temporary workaround until a patch is available. Restrict access to the ObjectManager.plugin to minimize the risk of exploitation. Avoid using malicious files that can trigger this vulnerability until the issue is resolved.