Summary
3. TECHNICAL DETAILS
The following versions of CODESYS in Festo Automation Suite are affected:
- FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0) vers:all/*
- FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/*
- FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0) vers:all/*
- FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/*
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.8 | FESTO, CODESYS | CODESYS in Festo Automation Suite | Direct Request (‘Forced Browsing’), Untrusted Search Path, Improper Restriction of Operations within the Bounds of a Memory Buffer, Uncontrolled Recursion, Improper Access Control, Use of Insufficiently Random Values, Improper Restriction of Communication Channel to Intended Endpoints, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), NULL Pointer Dereference, Stack-based Buffer Overflow, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Incorrect Permission Assignment for Critical Resource, Improper Handling of Exceptional Conditions, Exposure of Resource to Wrong Sphere, Allocation of Resources Without Limits or Throttling, Use of a Broken or Risky Cryptographic Algorithm, Out-of-bounds Write, Weak Password Recovery Mechanism for Forgotten Password, Improper Privilege Management, Use of Password Hash With Insufficient Computational Effort, Buffer Access with Incorrect Length Value, Improper Input Validation, Improper Verification of Cryptographic Signature, Inadequate Encryption Strength, Origin Validation Error, Missing Release of Memory after Effective Lifetime, Improper Resource Shutdown or Release, Deserialization of Untrusted Data, Path Equivalence: ‘//multiple/leading/slash’, Insufficient Verification of Data Authenticity, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Missing Authentication for Critical Function, Out-of-bounds Read, Failure to Sanitize Special Elements into a Different Plane (Special Element Injection), Use of Out-of-range Pointer Offset, Improper Neutralization of Script in Attributes of IMG Tags in a Web Page, Files or Directories Accessible to External Parties, Untrusted Pointer Dereference, Path Traversal: ‘….’ (Multiple Dot), ASP.NET Misconfiguration: Missing Custom Error Page, Uncontrolled Resource Consumption, Unprotected Transport of Credentials, Initialization of a Resource with an Insecure Default, Heap-based Buffer Overflow, Unexpected Sign Extension, Buffer Over-read, Uncontrolled Search Path Element, Improper Verification of Source of a Communication Channel, Improper Restriction of Excessive Authentication Attempts, Use After Free, ASP.NET Misconfiguration: Password in Configuration File, Improper Check for Unusual or Exceptional Conditions, Observable Discrepancy, Incorrect Default Permissions |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Germany
Vulnerabilities
CVE-2025-2595
An unauthenticated remote attacker can bypass the user management in CODESYS Visualization and read visualization template files or static elements by means of forced browsing.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-425 Direct Request (‘Forced Browsing’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2010-5250
Untrusted search path vulnerability in the pthread_win32_process_attach_np function in pthreadGC2.dll in Pthreads-win32 2.8.0 allows local users to gain privileges via a Trojan horse quserex.dll file in the current working directory.NOTE: some of these details are obtained from third party information.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-426 Untrusted Search Path
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 7.8 | HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2017-3735
While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2018-0739
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-674 Uncontrolled Recursion
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
CVE-2018-10612
In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-284 Improper Access Control
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2018-20025
Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-330 Use of Insufficiently Random Values
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2018-20026
Improper Communication Address Filtering exists in CODESYS V3 products versions prior V3.5.14.0.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-923 Improper Restriction of Communication Channel to Intended Endpoints
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2019-13532
CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which may allow access to files outside the restricted working directory of the controller.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2019-13538
3S-Smart Software Solutions GmbH CODESYS V3 Library Manager, all versions prior to 3.5.16.0, allows the system to display active library content without checking its validity, which may allow the contents of manipulated libraries to be displayed or executed. The issue also exists for source libraries, but 3S-Smart Software Solutions GmbH strongly recommends distributing compiled libraries only.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.6 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
CVE-2019-13542
3S-Smart Software Solutions GmbH CODESYS V3 OPC UA Server, all versions 3.5.11.0 to 3.5.15.0, allows an attacker to send crafted requests from a trusted OPC UA client that cause a NULL pointer dereference, which may trigger a denial-of-service condition.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-476 NULL Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-13548
CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which could cause a stack overflow and create a denial-of-service condition or allow remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-121 Stack-based Buffer Overflow
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2019-18858
CODESYS 3 web server before 3.5.15.20, as distributed with CODESYS Control runtime systems, has a Buffer Overflow.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2019-19789
3S-Smart CODESYS SP Realtime NT before V2.3.7.28, CODESYS Runtime Toolkit 32 bit full before V2.4.7.54, and CODESYS PLCWinNT before V2.4.7.54 allow a NULL pointer dereference.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-476 NULL Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-5105
An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the GatewayService.exe to trigger this vulnerability. All variants of the CODESYS V3 products in all versions prior V3.5.16.10 containing the CmpRouter or CmpRouterEmbedded component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PLCnext, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Edge Gateway V3, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Simulation Runtime (part of the CODESYS Development System).
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-9008
An issue was discovered in 3S-Smart CODESYS V3 through 3.5.12.30. A user with low privileges can take full control over the runtime.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-732 Incorrect Permission Assignment for Critical Resource
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2019-9009
An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-755 Improper Handling of Exceptional Conditions
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-9010
An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS Gateway does not correctly verify the ownership of a communication channel. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-284 Improper Access Control
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2019-9011
In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-668 Exposure of Resource to Wrong Sphere
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2019-9012
An issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-9013
An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-10245
CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control runtime systems, has a buffer overflow.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-12067
In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user’s password may be changed by an attacker without knowledge of the current password.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-640 Weak Password Recovery Mechanism for Forgotten Password
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVE-2020-12068
An issue was discovered in CODESYS Development System before 3.5.16.0. CODESYS WebVisu and CODESYS Remote TargetVisu are susceptible to privilege escalation.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-269 Improper Privilege Management
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
CVE-2020-12069
In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-916 Use of Password Hash With Insufficient Computational Effort
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-14509
Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-805 Buffer Access with Incorrect Length Value
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-14513
CodeMeter (All versions prior to 6.81) and the software using it may crash while processing a specifically crafted license file due to unverified length fields.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-14515
CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-347 Improper Verification of Cryptographic Signature
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVE-2020-14517
Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-326 Inadequate Encryption Strength
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-14519
This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-346 Origin Validation Error
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVE-2020-15806
CODESYS Control runtime system before 3.5.16.10 allows Uncontrolled Memory Allocation.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-401 Missing Release of Memory after Effective Lifetime
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-16233
An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-404 Improper Resource Shutdown or Release
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2020-7052
CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-21863
A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-502 Deserialization of Untrusted Data
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-21864
A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-50 Path Equivalence: ‘//multiple/leading/slash’
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-21865
A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-502 Deserialization of Untrusted Data
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-21866
A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-502 Deserialization of Untrusted Data
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-21867
An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-50 Path Equivalence: ‘//multiple/leading/slash’
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-21868
An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-50 Path Equivalence: ‘//multiple/leading/slash’
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-21869
An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-502 Deserialization of Untrusted Data
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-29239
CODESYS Development System 3 before 3.5.17.0 displays or executes malicious documents or files embedded in libraries without first checking their validity.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-345 Insufficient Verification of Data Authenticity
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2021-29240
The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-345 Insufficient Verification of Data Authenticity
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-29241
CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may result in a denial of service (DoS).
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-476 NULL Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-29242
CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router’s addressing scheme and may re-route, add, remove or change low level communication packages.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
CVE-2021-30186
CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-30187
CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
CVE-2021-30188
CODESYS V2 runtime system SP before 2.4.7.55 has a Stack-based Buffer Overflow.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2021-30190
CODESYS V2 Web-Server before 1.1.9.20 has Improper Access Control.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-306 Missing Authentication for Critical Function
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2021-30195
CODESYS V2 runtime system before 2.4.7.55 has Improper Input Validation.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-33485
CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2021-33486
All versions of the CODESYS V3 Runtime Toolkit for VxWorks from version V3.5.8.0 and before version V3.5.17.10 have Improper Handling of Exceptional Conditions.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-755 Improper Handling of Exceptional Conditions
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-34593
In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-34595
A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition or local memory overwrite.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-823 Use of Out-of-range Pointer Offset
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
CVE-2021-34596
A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-36763
In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External Parties.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-552 Files or Directories Accessible to External Parties
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2021-36764
In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a denial-of-service condition.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-476 NULL Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-36765
In CODESYS EtherNetIP before 4.1.0.0, specific EtherNet/IP requests may cause a null pointer dereference in the downloaded vulnerable EtherNet/IP stack that is executed by the CODESYS Control runtime system.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-476 NULL Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 7.5 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2022-1965
Multiple products of CODESYS implement a improper error handling. A low privilege remote attacker may craft a request, which is not properly processed by the error handling. In consequence, the file referenced by the request could be deleted. User interaction is not required.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-755 Improper Handling of Exceptional Conditions
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
CVE-2022-1989
All CODESYS Visualization versions before V4.2.0.0 generate a login dialog vulnerable to information exposure allowing a remote, unauthenticated attacker to enumerate valid users.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2022-22508
Improper Input Validation vulnerability in multiple CODESYS V3 products allows an authenticated remote attacker to block consecutive logins of a specific type.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
CVE-2022-22513
An authenticated remote attacker can cause a null pointer dereference in the CmpSettings component of the affected CODESYS products which leads to a crash.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-476 NULL Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 6.5 | MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-22514
An authenticated, remote attacker can gain access to a dereferenced pointer contained in a request. The accesses can subsequently lead to local overwriting of memory in the CmpTraceMgr, whereby the attacker can neither gain the values read internally nor control the values to be written. If invalid memory is accessed, this results in a crash.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-822 Untrusted Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
CVE-2022-22515
A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-668 Exposure of Resource to Wrong Sphere
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
CVE-2022-22516
The SysDrv3S driver in the CODESYS Control runtime system on Microsoft Windows allows any system user to read and write within restricted memory space.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-732 Incorrect Permission Assignment for Critical Resource
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-22517
An unauthenticated, remote attacker can disrupt existing communication channels between CODESYS products by guessing a valid channel ID and injecting packets. This results in the communication channel to be closed.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-33 Path Traversal: ‘….’ (Multiple Dot)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-22519
A remote, unauthenticated attacker can send a specific crafted HTTP or HTTPS requests causing a buffer over-read resulting in a crash of the webserver of the CODESYS Control runtime system.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-12 ASP.NET Misconfiguration: Missing Custom Error Page
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-30791
In CmpBlkDrvTcp of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-400 Uncontrolled Resource Consumption
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-30792
In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-400 Uncontrolled Resource Consumption
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-31805
In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-523 Unprotected Transport of Credentials
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2022-31806
In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-1188 Initialization of a Resource with an Insecure Default
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-32136
In multiple CODESYS products, a low privileged remote attacker may craft a request that cause a read access to an uninitialized pointer, resulting in a denial-of-service. User interaction is not required.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-32137
In multiple CODESYS products, a low privileged remote attacker may craft a request, which may cause a heap-based buffer overflow, resulting in a denial-of-service condition or memory overwrite. User interaction is not required.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-122 Heap-based Buffer Overflow
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-32138
In multiple CODESYS products, a remote attacker may craft a request which may cause an unexpected sign extension, resulting in a denial-of-service condition or memory overwrite.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-194 Unexpected Sign Extension
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-32139
In multiple CODESYS products, a low privileged remote attacker may craft a request, which cause an out-of-bounds read, resulting in a denial-of-service condition. User Interaction is not required.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-32140
Multiple CODESYS products are affected to a buffer overflow.A low privileged remote attacker may craft a request, which can cause a buffer copy without checking the size of the service, resulting in a denial-of-service condition. User Interaction is not required.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-32141
Multiple CODESYS Products are prone to a buffer over read. A low privileged remote attacker may craft a request with an invalid offset, which can cause an internal buffer over-read, resulting in a denial-of-service condition. User interaction is not required.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-126 Buffer Over-read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-32142
Multiple CODESYS Products are prone to a out-of bounds read or write access. A low privileged remote attacker may craft a request with invalid offset, which can cause an out-of-bounds read or write access, resulting in denial-of-service condition or local memory overwrite, which can lead to a change of local files. User interaction is not required.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-823 Use of Out-of-range Pointer Offset
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 8.1 | HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
CVE-2022-32143
In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously successfully authenticated himself to the controller. A successful Attack may lead to a denial of service, change of local files, or drain of confidential Information. User interaction is not required
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-552 Files or Directories Accessible to External Parties
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-4046
In CODESYS Control in multiple versions a improper restriction of operations within the bounds of a memory buffer allow an remote attacker with user privileges to gain full access of the device.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 8.8 | HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-4048
Inadequate Encryption Strength in CODESYS Development System V3 versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate code of the encrypted boot application.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-326 Inadequate Encryption Strength
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.7 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
CVE-2022-4224
In multiple products of CODESYS v3 in multiple versions a remote low privileged user could utilize this vulnerability to read and modify system files and OS resources or DoS the device.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-1188 Initialization of a Resource with an Insecure Default
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47378
Multiple CODESYS products in multiple versions are prone to a improper input validation vulnerability. An authenticated remote attacker may craft specific requests that use the vulnerability leading to a denial-of-service condition.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-47379
An authenticated, remote attacker may use a out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into memory which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47380
An authenticated remote attacker may use a stack basedout-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47381
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47383
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47384
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47385
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpAppForce Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47386
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47387
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47388
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47389
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47390
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-47391
In multiple CODESYS products in multiple versions an unauthorized, remote attacker may use a improper input validation vulnerability to read from invalid addresses leading to a denial of service.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-47392
An authenticated, remote attacker may use a improper input validation vulnerability in the CmpApp/CmpAppBP/CmpAppForce Components of multiple CODESYS products in multiple versions to read from an invalid address which can lead to a denial-of-service condition.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-47393
An authenticated, remote attacker may use a Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple versions of multiple CODESYS products to force a denial-of-service situation.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-3662
In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users context .
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-427 Uncontrolled Search Path Element
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.3 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-3663
In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-940 Improper Verification of Source of a Communication Channel
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-3669
A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local attacker to have unlimited attempts of guessing the password within an import dialog.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
CVE-2023-3670
In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-668 Exposure of Resource to Wrong Sphere
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.3 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-37545
In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37546
In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37547
In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37548
In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37549 and CVE-2023-37550
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37549
In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37550
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37550
In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37549.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37551
In multiple Codesys products in multiple versions, after successful authentication as a user, specially crafted network communication requests can utilize the CmpApp component to download files with any file extensions to the controller. In contrast to the regular file download via CmpFileTransfer, no filtering of certain file types is performed here. As a result, the integrity of the CODESYS control runtime system may be compromised by the files loaded onto the controller.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-552 Files or Directories Accessible to External Parties
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
CVE-2023-37552
In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37553, CVE-2023-37554, CVE-2023-37555 and CVE-2023-37556.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37553
In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37554, CVE-2023-37555 and CVE-2023-37556.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37554
In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37555 and CVE-2023-37556.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37555
In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37554 and CVE-2023-37556.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37556
In multiple versions of multiple Codesys products, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpAppBP component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37552, CVE-2023-37553, CVE-2023-37554 and CVE-2023-37555.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37557
After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted remote communication requests can cause the CmpAppBP component to overwrite a heap-based buffer, which can lead to a denial-of-service condition.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37558
After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37559
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-37559
After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37558
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-3935
A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-49675
An unauthenticated local attacker may trick a user to open corrupted project files to execute arbitrary code or crash the system due to an out-of-bounds write vulnerability.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-49676
An unauthenticated local attacker may trick a user to open corrupted project files to crash the system due to use after free vulnerability.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
CVE-2023-6357
A low-privileged remote attacker could exploit the vulnerability and inject additional system commands via file system libraries which could give the attacker full control of the device.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2024-5000
An unauthenticated remote attacker can use a malicious OPC UA client to send a crafted request to affected CODESYS products which can cause a DoS due to incorrect calculation of buffer size.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-13 ASP.NET Misconfiguration: Password in Configuration File
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2024-8175
An unauthenticated remote attacker can causes the CODESYS web server to access invalid memory which results in a DoS.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-754 Improper Check for Unusual or Exceptional Conditions
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2025-0694
Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.6 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2025-1468
An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA Server with the non-default Basic128Rsa15 security policy.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-203 Observable Discrepancy
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2025-41658
CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-276 Incorrect Default Permissions
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2025-41659
A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-732 Incorrect Permission Assignment for Critical Resource
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
CVE-2020-11023
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing option elements from untrusted sources – even after sanitizing it – to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N |
CVE-2022-47382
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
Affected Products
CODESYS in Festo Automation Suite
FESTO, CODESYS
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10): vers:all/*
known_affected
Remediations
Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
Mitigation
The following product versions have been fixed:
Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json
Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite – HTML.
https://certvde.com/en/advisories/VDE-2025-108
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Acknowledgments
- CERT@VDE reported this vulnerability to Festo
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Revision History
- Initial Release Date: 2026-03-17
| Date | Revision | Summary |
|---|---|---|
| 2026-03-17 | 1 | Initial Republication of Festo SE & Co. KG FSA-202601 |
