Festo Controller CECC-S,-LK,-D Family Firmware (Update A)

Act Now9.8ICS-CERT ICSA-25-273-04Sep 30, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

This advisory covers 19 CVEs in the Festo CECC-D, CECC-LK, and CECC-S controller families affecting firmware versions 2.3.8.0 and 2.3.8.1. The vulnerabilities exist in the underlying CODESYS V3 runtime system and include improper input validation, authentication bypass, privilege escalation, memory corruption (buffer overflows), insecure cryptographic practices, and resource exhaustion flaws. Successful exploitation could allow an attacker to crash services, escalate privileges, bypass authentication, or gain unauthorized access to the controller and sensitive data. Festo has stated that 14 of the 19 CVEs will not be patched in current hardware generations. Firmware update to version 2.4.2.0 fixes the remaining 5 CVEs; the next hardware generation is planned to address all issues.

What this means

What could happen

An attacker on the network could crash the Festo controller, escalate privileges, bypass authentication, or execute unauthorized commands on the device, disrupting industrial automation and process control operations.

Who's at risk

Organizations operating Festo modular controller hardware (CECC-D, CECC-LK, CECC-S families) in automation, water/wastewater treatment, manufacturing, and industrial production systems are affected. These controllers are commonly used for process control, sequencing, and equipment coordination. Any facility relying on Festo controllers for critical operations should be assessed.

How it could be exploited

An attacker with network access to the Festo controller (typically via port 502 for Modbus or controller management ports) could send specially crafted requests to exploit multiple authentication bypass, memory corruption, and privilege escalation flaws in the CODESYS V3 runtime. No authentication credentials are required. Successful exploitation allows arbitrary command execution with controller privileges.

Prerequisites

Network connectivity to the Festo controller management interface or process communication ports
No authentication required for exploitation of most CVEs in this bundle
Controller running firmware version 2.3.8.0 (CECC-D, CECC-S) or 2.3.8.1 (CECC-LK, CECC-S)

Remotely exploitableNo authentication requiredLow complexity exploitationHigh EPSS score (36.9%)No patch available for majority of CVEs in this bundleMultiple critical vulnerabilities (19 CVEs) in single advisory

Exploitability

High exploit probability (EPSS 36.9%)

Affected products (4)

4 pending

ProductAffected VersionsFix Status

Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-D (All versions): vers:all/*All versionsNo fix yet

Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-LK (All versions): vers:all/*All versionsNo fix yet

Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-S (All versions): vers:all/*All versionsNo fix yet

Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-S (All versions): vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate Festo controllers on a dedicated control network segment with firewall rules restricting network access to authorized engineering workstations and automation systems only

WORKAROUNDDisable remote management interfaces on the Festo controller if not required for current operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to version 2.4.2.0 on all Festo CECC-D, CECC-LK, and CECC-S controllers

Long-term hardening

0/1

HARDENINGMonitor controller logs for unauthorized access attempts or anomalous process commands

CVEs (33)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/18f292bd-7b17-4dae-a237-db8fd4083a9f