Festo Compact Vision System, Control Block, Controller, and Operator Unit products
Plan PatchCVSS 9.8ICS-CERT ICSA-25-329-05Oct 17, 2022
CODESYSPhoenix ContactWAGOFestoEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Festo Compact Vision System, Control Block, Controller, and Operator Unit products contain unsafe default CODESYS configurations that allow unauthenticated access to the devices. Specifically, CVE-2022-22515 and CVE-2022-31806 enable attackers to download and execute arbitrary code or modify configuration files without authentication. All versions of the affected Festo product lines are vulnerable. Festo has not released firmware patches and states no fix is planned for these products.
What this means
What could happen
An attacker could gain unauthenticated access to these Festo automation controllers and vision systems, allowing them to modify configuration files, download and execute malicious code, or alter process logic. This could disrupt manufacturing, packaging, or assembly operations controlled by these devices.
Who's at risk
Water authorities and municipal utilities operating Festo automation equipment should review affected products immediately. This affects Festo compact vision systems, control blocks (CPX-CEC and CPX-CMXX series), controllers (CECC and CPX-E series), and operator units (CDPX series). Any facility using these devices for pump control, valve operation, flow measurement, or process automation is at risk.
How it could be exploited
An attacker on the network can connect to an affected Festo controller or operator unit without credentials because of unsafe default CODESYS configurations. Once connected, they can modify configuration files or upload malicious code that runs on the controller. The attacker does not need authentication or special network access beyond reaching the device's port.
Prerequisites
- Network access to the affected Festo device's communication port (default or configured port)
- The device must have an unsafe default CODESYS configuration enabled
- No password protection configured on the controller login (CVE-2022-31806 specifically)
remotely exploitableno authentication requiredlow complexityno patch availableaffects process control systemsunsafe default configurations
Exploitability
Some exploitation risk — EPSS score 1.1%
Affected products (51)
15 with fix36 pending
ProductAffected VersionsFix Status
ENERGY AXC PU<V04.15.00.00Fix available
750-331≤ 01.04.16(14)No fix yet
750-829≤ 01.04.16(14)FW17
750-831/xxx-xxx≤ 01.04.16(14)No fix yet
750-852≤ 01.09.25(16)FW17
Remediation & Mitigation
0/5
Do now
0/4WORKAROUNDEnable password protection at login on all affected Festo controllers; note that password configuration files must be manually selected in FFT backup and restore procedures
WORKAROUNDEnable online user management on all affected controllers to prevent unauthenticated download and execution of code (note: this may limit legitimate debug and start/stop actions on running applications)
HARDENINGIsolate all Festo automation devices and controllers behind firewalls on a dedicated OT network segment; ensure they are not accessible from the internet or business network
HARDENINGReview and document which Festo devices in your environment are running affected products; cross-reference against network maps to identify which are connected to business networks or internet-facing systems
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGIf remote access to Festo devices is required, enforce connection through VPN and maintain VPN software at the latest patched version
CVEs (19)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/430189c3-0d39-4fac-88ae-d9d39e145d20Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.