CVE-2021-21863

Name of the Vulnerable Software and Affected Versions CODESYS Development System versions 3.5.16 through 3.5.17

Description A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality. This issue is related to deficiencies in the deserialization mechanism, allowing an attacker to execute arbitrary commands by providing a specially crafted file. The vulnerability can be triggered when a malicious file is used, leading to potential command execution.

Recommendations For versions 3.5.16 and 3.5.17, consider disabling the Profile.FromFile() function until a patch is available to prevent exploitation. Restrict access to files that could be used to trigger this vulnerability to minimize the risk of arbitrary command execution.