CODESYS in Festo Automation Suite
CISA issued an advisory detailing over 140 vulnerabilities in CODESYS in Festo Automation Suite, affecting critical manufacturing infrastructure worldwide. Vulnerabilities range from critical authentication bypass and buffer overflows (CVSS 9.8) to various memory corruption and input validation flaws. Festo recommends updating to Festo Automation Suite 2.8.0.138 and deploying the latest CODESYS Development System 3.5.21.20.
Summary
CISA issued an advisory detailing over 140 vulnerabilities in CODESYS in Festo Automation Suite, affecting critical manufacturing infrastructure worldwide. Vulnerabilities range from critical authentication bypass and buffer overflows (CVSS 9.8) to various memory corruption and input validation flaws. Festo recommends updating to Festo Automation Suite 2.8.0.138 and deploying the latest CODESYS Development System 3.5.21.20.
Full text
ICS Advisory CODESYS in Festo Automation Suite Release DateMarch 17, 2026 Alert CodeICSA-26-076-01 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF Summary 3. TECHNICAL DETAILS The following versions of CODESYS in Festo Automation Suite are affected: FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0) vers:all/* FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/* FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0) vers:all/* FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/* CVSS Vendor Equipment Vulnerabilities v3 9.8 FESTO, CODESYS CODESYS in Festo Automation Suite Direct Request ('Forced Browsing'), Untrusted Search Path, Improper Restriction of Operations within the Bounds of a Memory Buffer, Uncontrolled Recursion, Improper Access Control, Use of Insufficiently Random Values, Improper Restriction of Communication Channel to Intended Endpoints, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), NULL Pointer Dereference, Stack-based Buffer Overflow, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Incorrect Permission Assignment for Critical Resource, Improper Handling of Exceptional Conditions, Exposure of Resource to Wrong Sphere, Allocation of Resources Without Limits or Throttling, Use of a Broken or Risky Cryptographic Algorithm, Out-of-bounds Write, Weak Password Recovery Mechanism for Forgotten Password, Improper Privilege Management, Use of Password Hash With Insufficient Computational Effort, Buffer Access with Incorrect Length Value, Improper Input Validation, Improper Verification of Cryptographic Signature, Inadequate Encryption Strength, Origin Validation Error, Missing Release of Memory after Effective Lifetime, Improper Resource Shutdown or Release, Deserialization of Untrusted Data, Path Equivalence: '//multiple/leading/slash', Insufficient Verification of Data Authenticity, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Missing Authentication for Critical Function, Out-of-bounds Read, Failure to Sanitize Special Elements into a Different Plane (Special Element Injection), Use of Out-of-range Pointer Offset, Improper Neutralization of Script in Attributes of IMG Tags in a Web Page, Files or Directories Accessible to External Parties, Untrusted Pointer Dereference, Path Traversal: '....' (Multiple Dot), ASP.NET Misconfiguration: Missing Custom Error Page, Uncontrolled Resource Consumption, Unprotected Transport of Credentials, Initialization of a Resource with an Insecure Default, Heap-based Buffer Overflow, Unexpected Sign Extension, Buffer Over-read, Uncontrolled Search Path Element, Improper Verification of Source of a Communication Channel, Improper Restriction of Excessive Authentication Attempts, Use After Free, ASP.NET Misconfiguration: Password in Configuration File, Improper Check for Unusual or Exceptional Conditions, Observable Discrepancy, Incorrect Default Permissions Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-2595 An unauthenticated remote attacker can bypass the user management in CODESYS Visualization and read visualization template files or static elements by means of forced browsing. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor:FESTO, CODESYS Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status:known_affected Remediations MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk: MitigationStarting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo. MitigationThe following product versions have been fixed:CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json MitigationFor more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.https://certvde.com/en/advisories/VDE-2025-108 Relevant CWE: CWE-425 Direct Request ('Forced Browsing') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2010-5250 Untrusted search path vulnerability in the pthread_win32_process_attach_np function in pthreadGC2.dll in Pthreads-win32 2.8.0 allows local users to gain privileges via a Trojan horse quserex.dll file in the current working directory.NOTE: some of these details are obtained from third party information. View CVE Details Affected Products CODESYS in Festo Automation Suite Vendor:FESTO, CODESYS Product Version:FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/* Product Status:known_affected Remediations MitigationFESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up
Indicators of Compromise
- cve — CVE-2025-2595
- cve — CVE-2025-41659
- cve — CVE-2023-3935
- cve — CVE-2024-5000
- cve — CVE-2024-8175
- cve — CVE-2023-6357
- cve — CVE-2022-4046
- cve — CVE-2022-31805
- cve — CVE-2019-9010
- cve — CVE-2018-10612