www.cisa.gov 7/9/2026, 5:26:56 PM · external

Critical OpenPLC v3 flaw lets attackers run code via file write

CyberSIXT Evidence Panel
Primary Source github.com
CISA KEV Not in KEV
Patch Patch Status Unknown

THE ICS Advisory ICSA-26-190-01, released on July 9, 2026, addresses a critical vulnerability in OpenPLC v3. This vulnerability (CVE-2026-14480) allows authenticated attackers to write arbitrary files to the filesystem, which can escalate to native code execution when certain compilation processes are triggered. The affected version is OpenPLC v3, which has a CVSS score of 9.9, classified as critical. Users are advised to upgrade to OpenPLC v4 as OpenPLC v3 is end-of-life and no longer receives updates.

CISA recommends minimizing network exposure of control systems, implementing secure remote access, and following cybersecurity best practices.

View Primary Source Via www.cisa.gov

Article by CyberSIXT