Critical and High Vulnerabilities in CODESYS Components Bundled with Festo Automation Suite
CISA published ICS Advisory ICSA-26-076-01 on March 17, 2026, disclosing 128 vulnerabilities across CODESYS Development System and associated runtime components bundled in Festo Automation Suite (FAS) versions 2.8.0.137 and earlier. CVSS scores range from 5.3 to 9.8, with multiple vulnerabilities rated Critical at 9.8. The affected suite is deployed worldwide in critical manufacturing environments. Festo has addressed the systemic exposure by removing the CODESYS bundle from FAS starting with version 2.8.0.138, requiring customers to obtain and update CODESYS independently.
The vulnerabilities span multiple CODESYS subsystems, including the V3 web server, the CmpGateway communication component, the Wibu CodeMeter license management runtime, and the visualization server. Critical flaws include unauthenticated remote code execution via stack and heap buffer overflows in the web server (CVE-2019-13548, CVE-2019-18858, CVE-2020-10245, and CVE-2021-33485, all CVSS 9.8), memory corruption in the CodeMeter packet parser (CVE-2020-14509 and CVE-2023-3935, both CVSS 9.8), broken or default-disabled encryption of control communications (CVE-2018-10612 and CVE-2020-14517, both CVSS 9.8), and a gateway channel ownership verification failure (CVE-2019-9010, CVSS 9.8). Several of these CVEs originate between 2018 and 2020, meaning unpatched Festo installations have been carrying critical-severity exposure for up to eight years.
The risk context for these vulnerabilities is elevated by their location within industrial automation software used to program and manage PLCs and other field controllers. An unauthenticated attacker with network access to the CODESYS runtime can achieve full remote code execution or persistent denial of service on industrial controllers, potentially disrupting production processes or enabling physical consequences. Engineering workstations running Festo Automation Suite commonly bridge IT and OT network segments, and successful exploitation requires only network reachability to the CODESYS or CodeMeter service — no authentication or prior access is needed for the most critical vulnerabilities.
Threats and Vulnerabilities
CVE-2018-10612, with a CVSS score of 9.8, affects CODESYS Control V3 products prior to version 3.5.14.0. User access management and communication encryption are disabled by default in affected versions, exposing runtime credentials and all device communications to unauthenticated network access. This insecure-by-default posture means that even a factory-fresh installation with no additional misconfigurations is fully exposed to network attackers. CVE-2020-14517, also rated CVSS 9.8, documents broken and weak cryptographic algorithm usage in Wibu CodeMeter prior to version 7.10, allowing remote attackers to intercept and manipulate license management communications and potentially forge license tokens.
CVE-2019-13548, with a CVSS score of 9.8, describes a stack-based buffer overflow in the CODESYS V3 web server prior to version 3.5.14.10, triggered by specially crafted HTTP or HTTPS requests and enabling denial of service or unauthenticated remote code execution. CVE-2019-18858, also rated CVSS 9.8, documents a second buffer overflow in the same web server component in versions prior to 3.5.15.20. CVE-2020-10245, with a CVSS score of 9.8, describes an out-of-bounds write vulnerability in the CODESYS V3 web server prior to version 3.5.15.40. CVE-2021-33485, rated CVSS 9.8, documents a heap-based buffer overflow in CODESYS Control Runtime that permits unauthenticated remote code execution via specially crafted network packets. Taken together, these four web server and runtime vulnerabilities represent a persistent attack surface in the core CODESYS communication stack across multiple consecutive release generations.
CVE-2020-14509, with a CVSS score of 9.8, affects Wibu CodeMeter prior to version 7.10. The packet parser does not verify length fields, allowing memory corruption and remote code execution via specially crafted packets sent to the CodeMeter daemon. CVE-2023-3935, also rated CVSS 9.8, documents a heap buffer overflow in Wibu CodeMeter Runtime prior to version 7.60c, exploitable unauthenticated over the network. The CodeMeter licensing daemon is accessible on TCP and UDP port 22350 on any engineering workstation running CODESYS, making it reachable even in environments where other CODESYS ports are restricted.
CVE-2019-9010, with a CVSS score of 9.8, affects CODESYS V3 products containing the CmpGateway component in versions prior to 3.5.14.20. The gateway does not correctly verify the ownership of a communication channel, allowing remote attackers to hijack or abuse established gateway sessions. Combined with the insecure defaults documented in CVE-2018-10612, this vulnerability enables unauthenticated pivoting through the CODESYS gateway to downstream PLC and controller targets on the OT network.
CVE-2022-4046, rated CVSS 8.8, allows an authenticated remote attacker with low privileges to trigger a buffer overflow and gain full device access. CVE-2023-6357, rated CVSS 8.8, documents OS command injection via CODESYS file system library functions, exploitable by a low-privilege remote attacker to execute arbitrary commands on the host system. CVE-2025-2595, with a CVSS score of 5.3, allows an unauthenticated attacker to bypass user management in CODESYS Visualization and read visualization template files or static elements through a forced browsing attack (CWE-425), potentially exposing process diagrams and HMI configuration data. Beyond these representative entries, VDE Advisory VDE-2025-108 documents 128 total CVEs across the bundled CODESYS components spanning credential theft, path traversal, privilege escalation, null pointer dereference, weak password hashing, and improper file permission vulnerabilities.
Client Impact
Clients operating Festo Automation Suite versions 2.8.0.137 and earlier are exposed to critical-severity, unauthenticated remote code execution vulnerabilities affecting PLCs and controllers programmed and managed through the suite. Successful exploitation of the web server or CodeMeter vulnerabilities could allow an attacker to reprogram or disable industrial controllers, manipulate process variable outputs, or cause persistent denial of service across an automation environment. Because CODESYS runtime services and engineering workstations frequently communicate over the same network segment as PLCs, exploitation of these vulnerabilities does not require an attacker to bypass additional OT segmentation controls. The multi-year age of several critical CVEs in this advisory means that opportunistic threat actors with awareness of CODESYS vulnerabilities may already be targeting unpatched installations.
Unpatched FAS deployments expose organizations to compliance risk under IEC 62443, which mandates security patch management and baseline secure configurations for Industrial Automation and Control Systems. The presence of CVE-2018-10612 — where encryption and access control are disabled by default — represents a direct conflict with IEC 62443-3-3 security requirements SR 1.1 (Human User Identification and Authentication) and SR 4.1 (Information Confidentiality). Organizations subject to NERC CIP-007 (Systems Security Management) must remediate known vulnerabilities within defined maintenance windows, and the age and severity of the CVEs documented here will likely draw scrutiny during regulatory audits. NIST SP 800-82 guidance on ICS security similarly requires prompt remediation of remotely exploitable, unauthenticated vulnerabilities in control system software.
Mitigations
Organizations running Festo Automation Suite should take the following actions:
1. Upgrade Festo Automation Suite to version 2.8.0.138 or later; this version removes the bundled CODESYS installation from the suite.
2. After upgrading FAS, download CODESYS Development System version 3.5.21.20 or later directly from the CODESYS vendor and apply all available security patches.
3. Audit all engineering workstations for installed CODESYS versions and verify each installed component against the remediated versions documented in Festo Security Advisory FSA-202601 and VDE Advisory VDE-2025-108.
4. Restrict network access to CODESYS runtime ports (TCP/UDP 1217 for CODESYS V3 communication, TCP/UDP 22350 for Wibu CodeMeter) to authorized engineering hosts only, using host-based firewall rules or network access control lists.
5. Enable user access management and communication encryption in the CODESYS runtime configuration where full upgrade is pending, specifically addressing the insecure defaults documented in CVE-2018-10612.
6. Monitor CODESYS gateway and web server traffic for anomalous connection patterns, oversized or malformed packets, and unexpected process execution originating from the CODESYS runtime process.
7. Refer to CISA ICS Advisory ICSA-26-076-01 and Festo Security Advisory FSA-202601 for the complete enumeration of all 128 affected CVEs and per-component remediation guidance.
Organizations that have already upgraded to FAS 2.8.0.138 and maintain a current, independently patched CODESYS installation are not affected by the bundled component vulnerabilities documented in this advisory.
1898 & Co. Response
1898 & Co. maintains a dedicated Operational Technology (OT) and Industrial Control System (ICS) security practice with deep expertise in the CODESYS platform and Festo automation products. Our team monitors ICS vulnerability disclosures continuously, including CISA ICS-CERT advisories and CERT@VDE publications, and can rapidly assess client exposure to vulnerabilities of this scope and severity.
Our OT security assessments include detailed review of engineering workstation configurations, CODESYS runtime service exposure, and network segmentation posture. When bundled or legacy software components are identified as a vulnerability aggregation risk — as documented here with 128 CVEs across a single bundled dependency — 1898 & Co. provides prioritized remediation roadmaps aligned to IEC 62443 and NERC CIP requirements, including upgrade planning that minimizes operational disruption.
1898 & Co. has assisted critical manufacturing, energy, and utilities clients with CODESYS and PLC security hardening and has experience coordinating emergency patch deployments in operational environments where downtime windows are tightly constrained. Clients with questions about their exposure to the vulnerabilities documented in this advisory are encouraged to contact their 1898 & Co. account team for an immediate exposure assessment.
Sources
1. CISA ICS Advisory ICSA-26-076-01 — CODESYS in Festo Automation Suite
2. CERT@VDE Advisory VDE-2025-108 — Festo Automation Suite / CODESYS