ctipilot.ch
← Back to Daily brief 2026-07-09
NOTABLECVE-2026-14480vulnerability

CVE-2026-14480 — OpenPLC v3 Runtime: authenticated arbitrary file write escalates to native RCE via the auto-compile pipeline (CVSS 9.9)

discovered 2026-07-09 20:36 UTCrun 2026-07-09T2009Z-intel1 sourcesingle-source · national CERT

CISA published ICS advisory ICSA-26-190-01 (2026-07-09) for OpenPLC Runtime v3, the widely used open-source PLC runtime CISA tags across the Critical Manufacturing, Energy, Transportation Systems, and Water/Wastewater sectors (CISA, 2026-07-09). CVE-2026-14480 (CWE-73, External Control of File Name or Path; CVSS 3.1 9.9 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, CVSS 4.0 8.7) is an authenticated arbitrary file-write in the legacy web UI's program-upload workflow: the application stores an attacker-supplied filename (the prog_file parameter) directly into the Programs.File database field and later uses that value as the destination write path without validation, and because the underlying Python os.path.join() honors an attacker-controlled absolute path, any authenticated user can write files anywhere the webserver process can reach (CISA, 2026-07-09). The escalation is specific to OpenPLC's build model: all .cpp source files in the runtime's core directory are automatically compiled into the executable runtime binary, so writing a malicious .cpp there and then triggering a normal program compile-and-start — an ordinary operator action, not an exploit primitive — executes attacker code as the OpenPLC runtime user (T1190). The bug was reported to CISA by researcher Grady DeRosa, and CISA states no known public exploitation at this time.

CISA cites no fixed release version — its only stated mitigations are the standard ICS hardening set (minimise network exposure, keep control-system devices off the internet, place them behind firewalls isolated from business networks, use VPN for remote access) — so this should be treated as unpatched until the OpenPLC project ships guidance. Because exploitation requires authentication, the practical exposure hinges on how reachable and how loosely authenticated the web UI is: an internet-exposed or shared-credential OpenPLC instance is effectively RCE-exposed, while one confined to a trusted out-of-band network with per-operator accounts is not. Triage: the compile step itself is legitimate operator activity, so the discriminator is what is being compiled and who spawned it — new or modified .cpp files appearing in the runtime core directory outside a maintainer deploy, and the compiler toolchain being invoked by the OpenPLC webserver process or its children rather than by an engineer-initiated build from an authorised workstation; parent-process lineage (webserver → gcc/g++) is the signal.

Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem and escalate this into arbitrary native code execution through the normal OpenPLC program compilation process, potentially resulting in code execution as the OpenPLC runtime user.

In the default build pipeline, all C++ source files within the OpenPLC runtime core directory are automatically compiled into the executable runtime binary.

CISA (ICS Advisory ICSA-26-190-01) 2026-07-09

Defender actions

  • Inventory OpenPLC v3 / OpenPLC Runtime deployments in OT and lab environments; ensure the web UI is never internet-reachable and is confined to an out-of-band management network, since no fixed version exists yet.
  • If the legacy web UI program-upload path is not required, disable/retire it; where web-UI authentication cannot be restricted to trusted operators only, treat the runtime as compromise-by-design until network isolation is enforced.
  • Hunt for new or modified .cpp files in the OpenPLC runtime core source directory outside maintainer deploys, and for the compiler toolchain (gcc/g++) being spawned by the OpenPLC webserver process rather than an operator-driven build.

ATT&CK mapping

1 technique mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.