ctipilot.ch

OpenPLC v3 Runtime authenticated arbitrary file-write to native RCE (CVSS 9.9; CISA ICSA-26-190-01, no fix)

cve · CVE-2026-14480 single-source-national-cert

Coverage timeline
1
first 2026-07-09 → last 2026-07-09
Peak priority
notable
1 notable
Sources cited
1
1 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
1
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
OpenPLC v3

ATT&CK techniques

1 technique observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-09/openplc-cve-2026-14480-file-write-rce · ATT&CK page ↗

Story timeline

  1. 2026-07-09CVE-2026-14480 — OpenPLC v3 Runtime: authenticated arbitrary file write escalates to native RCE via the auto-compile pipeline (CVSS 9.9)
    trending-vulnerabilitiesCISA ICS advisory: an authenticated file-write in OpenPLC's legacy web UI reaches native code execution, with no fixed version cited

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • cisa.gov1 (100%)

Entries about OpenPLC v3 Runtime authenticated arbitrary file-write to native RCE (CVSS 9.9; CISA ICSA-26-190-01, no fix) (1)

2026-07-09 · view entry permalink →

CVE-2026-14480 — OpenPLC v3 Runtime: authenticated arbitrary file write escalates to native RCE via the auto-compile pipeline (CVSS 9.9)

CISA published ICS advisory ICSA-26-190-01 (2026-07-09) for OpenPLC Runtime v3, the widely used open-source PLC runtime CISA tags across the Critical Manufacturing, Energy, Transportation Systems, and Water/Wastewater sectors (CISA, 2026-07-09). CVE-2026-14480 (CWE-73, External Control of File Name or Path; CVSS 3.1 9.9 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, CVSS 4.0 8.7) is an authenticated arbitrary file-write in the legacy web UI's program-upload workflow: the application stores an attacker-supplied filename (the prog_file parameter) directly into the Programs.File database field and later uses that value as the destination write path without validation, and because the underlying Python os.path.join() honors an attacker-controlled absolute path, any authenticated user can write files anywhere the webserver process can reach (CISA, 2026-07-09). The escalation is specific to OpenPLC's build model: all .cpp source files in the runtime's core directory are automatically compiled into the executable runtime binary, so writing a malicious .cpp there and then triggering a normal program compile-and-start — an ordinary operator action, not an exploit primitive — executes attacker code as the OpenPLC runtime user (T1190). The bug was reported to CISA by researcher Grady DeRosa, and CISA states no known public exploitation at this time.

CISA cites no fixed release version — its only stated mitigations are the standard ICS hardening set (minimise network exposure, keep control-system devices off the internet, place them behind firewalls isolated from business networks, use VPN for remote access) — so this should be treated as unpatched until the OpenPLC project ships guidance. Because exploitation requires authentication, the practical exposure hinges on how reachable and how loosely authenticated the web UI is: an internet-exposed or shared-credential OpenPLC instance is effectively RCE-exposed, while one confined to a trusted out-of-band network with per-operator accounts is not. Triage: the compile step itself is legitimate operator activity, so the discriminator is what is being compiled and who spawned it — new or modified .cpp files appearing in the runtime core directory outside a maintainer deploy, and the compiler toolchain being invoked by the OpenPLC webserver process or its children rather than by an engineer-initiated build from an authorised workstation; parent-process lineage (webserver → gcc/g++) is the signal.

Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem and escalate this into arbitrary native code execution through the normal OpenPLC program compilation process, potentially resulting in code execution as the OpenPLC runtime user.

In the default build pipeline, all C++ source files within the OpenPLC runtime core directory are automatically compiled into the executable runtime binary.

CISA (ICS Advisory ICSA-26-190-01) 2026-07-09
vulnerability09 Jul 20:36Zsingle-source · national CERTOpen finding ↗