CVE-2021-21866

Name of the Vulnerable Software and Affected Versions CODESYS Development System versions 3.5.16 through 3.5.17

Description A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality. This vulnerability can be triggered by a specially crafted file, leading to arbitrary command execution. An attacker can provide a malicious file to exploit this issue.

Recommendations For versions 3.5.16 and 3.5.17, consider disabling the ObjectManager.plugin ProfileInformation.ProfileData functionality until a patch is available to prevent exploitation. Restrict access to the vulnerable functionality to minimize the risk of arbitrary command execution. Avoid using specially crafted files that can trigger this vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.