CVE Alert: CVE-2025-41701 - Beckhoff - TE1000 | TwinCAT 3 Enineering

CVE-2025-41701

HIGHNo exploitation known

An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. These arbitrary commands are executed in the user context.

CVSS v3.1 (7.8)

AV LOCAL · AC LOW · PR NONE · UI REQUIRED · S UNCHANGED

Vendor

Beckhoff

Product

TE1000 | TwinCAT 3 Enineering

Versions

0 lt 3.1.4024.67

CWE

CWE-502, CWE-502 Deserialization of Untrusted Data

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published

2025-09-09T08:57:28.132Z

Updated

2025-09-09T08:57:28.132Z

References

https://certvde.com/en/advisories/VDE-2025-075

AI Summary Analysis

Risk verdict

High risk of local command execution via a manipulated project file; patch promptly when available.

Why this matters

An unauthenticated attacker can trigger arbitrary commands through user interaction, potentially compromising workstation integrity and disrupting engineering workflows. In manufacturing environments, this can lead to production delays, data exposure, or manipulation of project artefacts if an operator opens a crafted file.

Most likely attack path

Attacker relies on local access and user interaction; no privileges required, but the user must open a malicious project file. The tool’s deserialization flaw means commands run in the user context, so a compromised account with standard rights could cascade if the tool runs with higher privileges or on accounts used for engineering tasks. Lateral movement is unlikely without additional footholds, but privilege elevation is possible if the user session holds admin rights.

Who is most exposed

Organisations using Beckhoff TwinCAT 3 Engineering on engineering workstations or operators’ PCs in industrial settings are most at risk, especially where project files are routinely exchanged or opened from shared folders or remote sources.

Detection ideas

Unusual process creation or command lines from the engineering tool after opening a project file.
System or application logs showing deserialization-related errors or unexpected script/command execution.
New/modified files or registry keys triggered by opening a targeted project file.
Anomalous user sessions initiating shell or script activity from the tool.

Mitigation and prioritisation

Apply patched version as soon as available; verify integrity before deployment.
Enforce least-privilege for engineering workstations; restrict admin rights on operator accounts.
Enable application control/whitelisting for the engineering tool and forbid automatic execution of embedded scripts.
Detect and block suspicious file types or crafted project files from untrusted sources; implement network segmentation for OT/IT.
Change-management: schedule patching in a controlled window, with rollback plan and backups of critical project data.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: beckhoff, CVE, cve-2025-41701, OSINT, te1000-twincat-3-enineering, threatintel