[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-critical-flaw-in-openplc-v3-lets-attackers-run-code-on-ics":10,"sections":34},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":24,"tags":25,"sources":29,"feedback":33,"feedback_at":22,"cost_usd":33,"total_tokens":33},4541,"critical-flaw-in-openplc-v3-lets-attackers-run-code-on-ics","Critical Flaw in OpenPLC v3 Lets Attackers Run Code on ICS","A CVSS 9.9 file-write bug in OpenPLC v3's web UI can be escalated into full native code execution — and the only fix is upgrading to v4.","A near-perfect severity vulnerability in OpenPLC v3 gives authenticated attackers a path to run arbitrary code on industrial control systems worldwide.\n\nResearcher Grady DeRosa reported the flaw (CVE-2026-14480) to CISA, which published an advisory on July 9. The bug lives in the legacy web UI's program-upload workflow: the application takes an attacker-supplied filename, stores it directly in the database, and later uses it as a file destination — without any path validation. Because Python's `os.path.join()` will honor an absolute path supplied by the attacker, a logged-in user can drop a file anywhere the web server process can write. The escalation step is almost elegant in a grim way: OpenPLC's default build pipeline automatically compiles every C++ file in its runtime core directory into the executable binary, so writing a malicious `.cpp` file there and triggering a normal compile gives the attacker native code execution as the runtime user.\n\nThe CVSS 3.1 score of 9.9 reflects how little stands between an attacker and full compromise — low privileges, no user interaction, network-accessible, and scope change included. The affected sectors — critical manufacturing, energy, transportation, and water systems — make that score feel, if anything, understated. OpenPLC v3 is deployed worldwide, meaning the blast radius is broad.\n\nThe vendor's remediation is blunt: v3 is end-of-life and will receive no patch, so the only fix is migrating to OpenPLC v4. Organizations that cannot upgrade immediately should isolate control system networks behind firewalls, restrict internet exposure, and require VPN for any remote access — standard ICS hygiene that, in practice, far too many deployments skip.","[\"security\",\"ics\",\"vulnerability\",\"critical-infrastructure\"]","2026-07-09T12:00:00.000Z","2026-07-09T16:29:13.928Z","2026-07-09T16:29:16.897Z","published",null,[],"security",[24,26,27,28],"ics","vulnerability","critical-infrastructure",[30],{"name":31,"url":32},"CISA Advisories","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-190-01",0,{"sections":35},[36,41,45,50,55,60,65,70,75,80,85,89,94,99],{"name":37,"slug":38,"count":39,"latest_published_at":40},"AI","ai",2590,"2026-07-16T04:00:00.000Z",{"name":42,"slug":24,"count":43,"latest_published_at":44},"Security",294,"2026-07-15T19:59:48.000Z",{"name":46,"slug":47,"count":48,"latest_published_at":49},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":51,"slug":52,"count":53,"latest_published_at":54},"Policy","policy",158,"2026-07-16T00:02:48.000Z",{"name":56,"slug":57,"count":58,"latest_published_at":59},"Hardware","hardware",122,"2026-07-14T19:46:26.000Z",{"name":61,"slug":62,"count":63,"latest_published_at":64},"Consumer Tech","consumer-tech",93,"2026-07-13T13:20:48.000Z",{"name":66,"slug":67,"count":68,"latest_published_at":69},"Software","software",70,"2026-07-13T19:52:25.000Z",{"name":71,"slug":72,"count":73,"latest_published_at":74},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":76,"slug":77,"count":78,"latest_published_at":79},"Dev Tools","dev-tools",59,"2026-07-07T04:00:00.000Z",{"name":81,"slug":82,"count":83,"latest_published_at":84},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":86,"slug":87,"count":83,"latest_published_at":88},"Startups","startups","2026-06-29T20:55:50.000Z",{"name":90,"slug":91,"count":92,"latest_published_at":93},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":95,"slug":96,"count":97,"latest_published_at":98},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":100,"slug":101,"count":102,"latest_published_at":103},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]