[HIGH] CVE-2025-41669 — CVSS 8.8 (May 27, 2026)

A HIGH-severity vulnerability identified as CVE-2025-41669 has been published on May 27, 2026 with a CVSS base score of 8.8. This security advisory provides a detailed breakdown of the vulnerability, its potential impact, weakness classification, and actionable steps to protect your systems.

Vulnerability Details

CVE ID: CVE-2025-41669
Severity: HIGH
CVSS Score: 8.8
Published: May 27, 2026
Weakness (CWE): CWE-347

Technical Description

The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.

Potential Impact

If exploited, this high-severity vulnerability could allow an attacker to compromise sensitive data confidentiality, tamper with system integrity, cause a denial of service. Organizations running affected software should treat this as a priority remediation item.

Recommended Action

No official patch is available yet. Until one is released:

1. Monitor the official NVD page and vendor channels for patch announcements.
2. Restrict access to the affected system or service where possible.
3. Apply network-level mitigations such as firewall rules or WAF policies.
4. Enable logging and alerting for anomalous activity related to this vulnerability.
5. Review your incident response plan in case of active exploitation.

View full details on NVD →

References

• Reference 1

Related Security Advisories

• [HIGH] CVE-2026-24032 — CVSS 7.3 (April 14, 2026) — HIGH / CVSS 7.3
• [HIGH] CVE-2026-0234 — CVSS 7.2 (April 13, 2026) — HIGH / CVSS 7.2
• [HIGH] CVE-2025-41670 — CVSS 7.8 (May 27, 2026) — HIGH / CVSS 7.8