Authenticated Arbitrary File Write in OpenPLC v3 (CVE‑2026‑14480) Enables Code Execution
What It Is — OpenPLC Runtime v3’s legacy web UI allows an authenticated user to supply an arbitrary filename (prog_file) that is stored unchecked and later used as a destination path for uploaded files. The lack of path validation lets the attacker write files anywhere the web‑server process can write, paving the way for native code execution during the normal program‑compilation step.
Exploitability — The vulnerability is publicly disclosed (CVE‑2026‑14480) with a CVSS 9.9 (Critical). Exploits are feasible with valid credentials; no public PoC is required beyond the described upload workflow.
Affected Products — OpenPLC Runtime v3 (all releases of the v3 line).
Why It Matters for Compliance & Audit Readiness
- Control Mapping Gap – The flaw reflects missing input‑validation controls (SOC 2 CC6.1 Change Management, CC3.1 System Operations). Mapping this gap and documenting remediation is essential for a defensible audit trail.
- Continuous Evidence – Demonstrating that file‑write controls are enforced and monitored provides real‑time evidence for SOC 2 auditors and reduces reliance on point‑in‑time attestations.
- Enterprise Buyer Expectations – Critical‑infrastructure operators now demand proof that third‑party components (like PLC runtimes) are governed by documented, continuously‑validated controls before they are accepted into production.
Recommended Actions
- Apply the vendor‑released patch for CVE‑2026‑14480 immediately.
- Harden the web UI: enforce whitelist‑based filename validation and restrict upload directories to non‑privileged paths.
- Map the remediation to SOC 2 controls (CC6.1, CC3.1) and capture change‑management logs as audit evidence.
- Incorporate the patched component into your continuous compliance monitoring platform to flag any future regressions.
Source: CISA Advisory – ICSA‑26‑190‑01