OpenPLC v3 Vulnerability Advisory
OpenPLC v3 Vulnerability Advisory 🚨
Source: CISA
Date Published: July 9, 2026
A critical vulnerability has been identified in OpenPLC v3 that could allow an authenticated attacker to write arbitrary files to the filesystem. This could escalate into arbitrary native code execution through the normal OpenPLC program compilation process, potentially resulting in code execution as the OpenPLC runtime user. The affected versions include OpenPLC v3.
Vulnerability Details 🔍
The vulnerability, identified as CVE-2026-14480, impacts critical infrastructure sectors including:
- Critical Manufacturing
- Energy
- Transportation Systems
- Water and Wastewater
OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program-upload workflow. The application stores an attacker-supplied filename directly into the Programs.File database field and later uses this value as the destination path for an uploaded file without validating or restricting the path. This allows an authenticated user to write arbitrary files anywhere writable by the OpenPLC webserver process.
Recommendations 🛡️
OpenPLC recommends users upgrade to OpenPLC v4 as OpenPLC v3 is end-of-life and is no longer receiving patches, bug fixes, or security updates. CISA advises users to take defensive measures to minimize the risk of exploitation of this vulnerability, including:
- Minimizing network exposure for all control system devices.
- Ensuring they are not accessible from the internet.
- Locating control system networks and remote devices behind firewalls.
- Using secure methods for remote access, such as Virtual Private Networks (VPNs).
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
For more details, please refer to the full advisory: Read full article