CODESYS in Festo Automation Suite

Act Now9.8ICS-CERT ICSA-26-076-01Mar 17, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities exist in CODESYS Development System bundled with Festo Automation Suite. The vulnerabilities span memory corruption, insecure deserialization, improper access controls, cryptographic weaknesses, and other flaws that allow an unauthenticated attacker with network access to execute arbitrary code. Affected versions are CODESYS Development System 3.0 and 3.5.16.10 bundled in Festo Automation Suite versions prior to 2.8.0.138. Starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be installed separately.

What this means

What could happen

Multiple critical vulnerabilities in CODESYS allow an attacker with network access to execute arbitrary code on engineering workstations and potentially control systems. This could allow modification of PLC programs, alteration of process setpoints, or stopping production equipment.

Who's at risk

Manufacturing facilities using Festo Automation Suite with bundled CODESYS Development System versions prior to 2.8.0.138 are affected. Engineering teams who develop and deploy PLC programs using CODESYS are directly at risk. Any organization with CODESYS-based automation systems running on networked workstations should assess exposure.

How it could be exploited

An attacker on the network can send a malicious network request to a CODESYS Development System instance without authentication. The vulnerability allows code execution in the context of the workstation running CODESYS, which typically has access to connected PLCs and control devices.

Prerequisites

Network access to the CODESYS Development System port (typically 11740 or configured port)
No credentials required
CODESYS Development System running and accessible from attacker's network

Remotely exploitable without authenticationLow attack complexityActively exploited (KEV)High EPSS score (36.9%)Affects engineering workstations that control production systemsDefault network accessibility of CODESYS ports

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

CODESYS Development System 3.0< 2.8.0.138No fix (EOL)

CODESYS Development System 3.02.8.0.137No fix (EOL)

CODESYS Development System 3.5.16.10< 2.8.0.138No fix (EOL)

CODESYS Development System 3.5.16.102.8.0.137No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HOTFIXUpdate Festo Automation Suite to version 2.8.0.138 or later and ensure CODESYS Development System 3.5.21.20 or later is installed as the external component

HOTFIXDownload and install the latest patched CODESYS version directly from the official CODESYS website if not bundled with Festo Automation Suite

WORKAROUNDImplement firewall rules to prevent network access to CODESYS Development System ports from untrusted networks

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: CODESYS Development System 3.0, CODESYS Development System 3.0, CODESYS Development System 3.5.16.10, CODESYS Development System 3.5.16.10. Apply the following compensating controls:

HARDENINGIsolate engineering workstations running CODESYS to a separate, protected network segment with restricted access from business networks

HARDENINGIf remote access to CODESYS is required, use a VPN with multi-factor authentication and keep VPN software updated

HARDENINGEstablish a process to monitor and apply CODESYS security advisories promptly when released

CVEs (126)

CVE-2010-5250 CVE-2017-3735 CVE-2018-0739 CVE-2018-20025 CVE-2019-13532 CVE-2019-13542 CVE-2019-18858 CVE-2019-5105 CVE-2019-9008 CVE-2019-9010 CVE-2019-9012 CVE-2020-10245 CVE-2020-12068 CVE-2020-14509 CVE-2020-14513 CVE-2020-14517 CVE-2020-15806 CVE-2020-7052 CVE-2021-21864 CVE-2021-21866 CVE-2021-21867 CVE-2021-21869 CVE-2021-29240 CVE-2021-29242 CVE-2021-30187 CVE-2021-30190 CVE-2021-30195 CVE-2021-33486 CVE-2021-34595 CVE-2021-36763 CVE-2021-36765 CVE-2022-1989 CVE-2022-22508 CVE-2022-22514 CVE-2022-22516 CVE-2022-22519 CVE-2022-30792 CVE-2022-31806 CVE-2022-32136 CVE-2022-32138 CVE-2022-32140 CVE-2022-32142 CVE-2022-32143 CVE-2022-4048 CVE-2022-47378 CVE-2022-47380 CVE-2022-47384 CVE-2022-47385 CVE-2022-47386 CVE-2022-47387 CVE-2022-47388 CVE-2022-47389 CVE-2022-47390 CVE-2022-47391 CVE-2022-47392 CVE-2022-47393 CVE-2023-3662 CVE-2023-3663 CVE-2023-3669 CVE-2023-3670 CVE-2023-37545 CVE-2023-37546 CVE-2023-37547 CVE-2023-37548 CVE-2023-37549 CVE-2023-37550 CVE-2023-37551 CVE-2023-37552 CVE-2023-37553 CVE-2023-37554 CVE-2023-37555 CVE-2023-37556 CVE-2023-37557 CVE-2023-37558 CVE-2023-37559 CVE-2023-3935 CVE-2023-49675 CVE-2023-49676 CVE-2023-6357 CVE-2024-5000 CVE-2024-8175 CVE-2025-0694 CVE-2025-1468 CVE-2025-41658 CVE-2025-41659 CVE-2020-11023 CVE-2022-47382 CVE-2025-2595 CVE-2018-10612 CVE-2018-20026 CVE-2019-13538 CVE-2019-13548 CVE-2019-19789 CVE-2019-9009 CVE-2019-9011 CVE-2019-9013 CVE-2020-12067 CVE-2020-12069 CVE-2020-14515 CVE-2020-14519 CVE-2020-16233 CVE-2021-21863 CVE-2021-21865 CVE-2021-21868 CVE-2021-29239 CVE-2021-29241 CVE-2021-30186 CVE-2021-30188 CVE-2021-33485 CVE-2021-34593 CVE-2021-34596 CVE-2021-36764 CVE-2022-1965 CVE-2022-22513 CVE-2022-22515 CVE-2022-22517 CVE-2022-30791 CVE-2022-31805 CVE-2022-32137 CVE-2022-32139 CVE-2022-32141 CVE-2022-4046 CVE-2022-4224 CVE-2022-47379 CVE-2022-47381 CVE-2022-47383

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1dc1a922-36a6-4606-8383-89dfa897da0d