1. Forum
  2. TCOB1
  3. CISA Advisories

  • CODESYS in Festo Automation Suite

    From CISA Advisories@2:263/1 to All on Tue Mar 17 17:11:07 2026
    CODESYS in Festo Automation Suite

    View CSAF
    Summary
    3. TECHNICAL DETAILS
    The following versions of CODESYS in Festo Automation Suite are affected:

    FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0) vers:all/*
    FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/*
    FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0) vers:all/*
    FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/*





    CVSS
    Vendor
    Equipment
    Vulnerabilities




    v3 9.8
    FESTO, CODESYS
    CODESYS in Festo Automation Suite
    Direct Request ('Forced Browsing'), Untrusted Search Path, Improper Restriction of Operations within the Bounds of a Memory Buffer, Uncontrolled Recursion, Improper Access Control, Use of Insufficiently Random Values, Improper Restriction of Communication Channel to Intended Endpoints, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), NULL Pointer Dereference, Stack-based Buffer Overflow, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Incorrect Permission Assignment for Critical Resource, Improper Handling of Exceptional Conditions, Exposure of Resource to Wrong Sphere, Allocation of Resources Without Limits or Throttling, Use of a Broken or Risky Cryptographic Algorithm, Out-of-bounds Write, Weak Password Recovery Mechanism for Forgotten Password, Improper Privilege Management, Use of Password Hash With Insufficient Computational Effort, Buffer Access with Incorrect Length Value, Improper Input Validation, Improper Verification of Cryptographic Signature, Inadequate Encryption Strength, Origin Validation Error, Missing Release of Memory after Effective Lifetime, Improper Resource Shutdown or Release, Deserialization of Untrusted Data, Path Equivalence: '//multiple/leading/slash', Insufficient Verification of Data Authenticity, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Missing Authentication for Critical Function, Out-of-bounds Read, Failure to Sanitize Special Elements into a Different Plane (Special Element Injection), Use of Out-of-range Pointer Offset, Improper Neutralization of Script in Attributes of IMG Tags in a Web Page, Files or Directories Accessible to External Parties, Untrusted Pointer Dereference, Path Traversal: '....' (Multiple Dot), ASP.NET Misconfiguration: Missing Custom Error Page, Uncontrolled Resource Consumption, Unprotected Transport of Credentials, Initialization of a Resource with an Insecure Default, Heap-based Buffer Overflow, Unexpected Sign Extension, Buffer Over-read, Uncontrolled Search Path Element, Improper Verification of Source of a Communication Channel, Improper Restriction of Excessive Authentication Attempts, Use After Free, ASP.NET Misconfiguration: Password in Configuration File, Improper Check for Unusual or Exceptional Conditions, Observable Discrepancy, Incorrect Default Permissions




    Background

    Critical Infrastructure Sectors: Critical Manufacturing
    Countries/Areas Deployed: Worldwide
    Company Headquarters Location: Germany


    Vulnerabilities

    Expand All +

    CVE-2025-2595

    An unauthenticated remote attacker can bypass the user management in CODESYS Visualization and read visualization template files or static elements by means of forced browsing.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
    MitigationStarting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-425 Direct Request ('Forced Browsing')

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    5.3
    MEDIUM
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N







    CVE-2010-5250

    Untrusted search path vulnerability in the pthread_win32_process_attach_np function in pthreadGC2.dll in Pthreads-win32 2.8.0 allows local users to gain privileges via a Trojan horse quserex.dll file in the current working directory.NOTE: some of these details are obtained from third party information.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-426 Untrusted Search Path

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.0
    7.8
    HIGH
    CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H







    CVE-2017-3735

    While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    5.3
    MEDIUM
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N







    CVE-2018-0739

    Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-674 Uncontrolled Recursion

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    6.5
    MEDIUM
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H







    CVE-2018-10612

    In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-284 Improper Access Control

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    9.8
    CRITICAL
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H







    CVE-2018-20025

    Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-330 Use of Insufficiently Random Values

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    7.5
    HIGH
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N







    CVE-2018-20026

    Improper Communication Address Filtering exists in CODESYS V3 products versions prior V3.5.14.0.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-923 Improper Restriction of Communication Channel to Intended Endpoints

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    7.5
    HIGH
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N







    CVE-2019-13532

    CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which may allow access to files outside the restricted working directory of the controller.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    7.5
    HIGH
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N







    CVE-2019-13538

    3S-Smart Software Solutions GmbH CODESYS V3 Library Manager, all versions prior to 3.5.16.0, allows the system to display active library content without checking its validity, which may allow the contents of manipulated libraries to be displayed or executed. The issue also exists for source libraries, but 3S-Smart Software Solutions GmbH strongly recommends distributing compiled libraries only.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    8.6
    HIGH
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H







    CVE-2019-13542

    3S-Smart Software Solutions GmbH CODESYS V3 OPC UA Server, all versions 3.5.11.0 to 3.5.15.0, allows an attacker to send crafted requests from a trusted OPC UA client that cause a NULL pointer dereference, which may trigger a denial-of-service condition.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-476 NULL Pointer Dereference

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    6.5
    MEDIUM
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H







    CVE-2019-13548

    CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which could cause a stack overflow and create a denial-of-service condition or allow remote code execution.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-121 Stack-based Buffer Overflow

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    9.8
    CRITICAL
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H







    CVE-2019-18858

    CODESYS 3 web server before 3.5.15.20, as distributed with CODESYS Control runtime systems, has a Buffer Overflow.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    9.8
    CRITICAL
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H







    CVE-2019-19789

    3S-Smart CODESYS SP Realtime NT before V2.3.7.28, CODESYS Runtime Toolkit 32 bit full before V2.4.7.54, and CODESYS PLCWinNT before V2.4.7.54 allow a NULL pointer dereference.
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
    MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
    MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108

    Relevant CWE: CWE-476 NULL Pointer Dereference

    Metrics




    CVSS Version
    Base Score
    Base Severity
    Vector String




    3.1
    6.5
    MEDIUM
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H







    CVE-2019-5105

    An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the GatewayService.exe to trigger this vulnerability. All variants of the CODESYS V3 products in all versions prior V3.5.16.10 containing the CmpRouter or CmpRouterEmbedded component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PLCnext, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Edge Gateway V3, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Simulation Runtime (part of the CODESYS Development System).
    View CVE Details

    Affected Products
    CODESYS in Festo Automation Suite

    Vendor:FESTO, CODESYS
    Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
    Product Status:known_affected


    Remediations
    MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates
    --- FMail-lnx 2.3.2.6-B20251227
    * Origin: TCOB1 A Mail Only System (2:263/1)