Festo Compact Vision System, Control Block, Controller, and Operator Unit products

Act Now9.8ICS-CERT ICSA-25-329-05Nov 25, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Festo Compact Vision System, Control Block, Controller, and Operator Unit products contain unsafe default CODESYS configurations that allow unauthenticated access to the devices. Specifically, CVE-2022-22515 and CVE-2022-31806 enable attackers to download and execute arbitrary code or modify configuration files without authentication. All versions of the affected Festo product lines are vulnerable. Festo has not released firmware patches and states no fix is planned for these products.

What this means

What could happen

An attacker could gain unauthenticated access to these Festo automation controllers and vision systems, allowing them to modify configuration files, download and execute malicious code, or alter process logic. This could disrupt manufacturing, packaging, or assembly operations controlled by these devices.

Who's at risk

Water authorities and municipal utilities operating Festo automation equipment should review affected products immediately. This affects Festo compact vision systems, control blocks (CPX-CEC and CPX-CMXX series), controllers (CECC and CPX-E series), and operator units (CDPX series). Any facility using these devices for pump control, valve operation, flow measurement, or process automation is at risk.

How it could be exploited

An attacker on the network can connect to an affected Festo controller or operator unit without credentials because of unsafe default CODESYS configurations. Once connected, they can modify configuration files or upload malicious code that runs on the controller. The attacker does not need authentication or special network access beyond reaching the device's port.

Prerequisites

Network access to the affected Festo device's communication port (default or configured port)
The device must have an unsafe default CODESYS configuration enabled
No password protection configured on the controller login (CVE-2022-31806 specifically)

remotely exploitableno authentication requiredlow complexityno patch availableaffects process control systemsunsafe default configurations

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (33)

33 pending

ProductAffected VersionsFix Status

Festo Software Compact Vision System SBO-Q-: vers:all/*All versionsNo fix yet

-Q-: -Q--Q-No fix yet

Festo Software Control block CPX-CEC-C1 Codesys V2: vers:all/*All versionsNo fix yet

Festo Software Control block CPX-CEC-C1-V3 Codesys V3: vers:all/*All versionsNo fix yet

Festo Software Control block CPX-CEC Codesys V2: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/4

WORKAROUNDEnable password protection at login on all affected Festo controllers; note that password configuration files must be manually selected in FFT backup and restore procedures

WORKAROUNDEnable online user management on all affected controllers to prevent unauthenticated download and execution of code (note: this may limit legitimate debug and start/stop actions on running applications)

HARDENINGIsolate all Festo automation devices and controllers behind firewalls on a dedicated OT network segment; ensure they are not accessible from the internet or business network

HARDENINGReview and document which Festo devices in your environment are running affected products; cross-reference against network maps to identify which are connected to business networks or internet-facing systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access to Festo devices is required, enforce connection through VPN and maintain VPN software at the latest patched version

CVEs (2)

CVE-2022-22515 CVE-2022-31806

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/430189c3-0d39-4fac-88ae-d9d39e145d20