CVE-2018-10612 3S-Smart CVE debrief

Who should care

OT/ICS teams, system integrators, and engineers running Festo Automation Suite installations that include CODESYS components, especially where CODESYS Control V3 devices may be reachable from the network.

Technical summary

The advisory describes a default security configuration problem in CODESYS Control V3 prior to version 3.5.14.0: user access management and communication encryption are not enabled by default. CISA maps the issue to CWE-284 and rates it CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating that remote attackers could access the device and sensitive data, including credentials, without authentication.

Defensive priority

Urgent: treat as a critical OT exposure and prioritize patching, component verification, and exposure review immediately.

Recommended defensive actions

• Identify Festo Automation Suite installations that bundle CODESYS components and confirm whether they are below version 2.8.0.138.
• Upgrade to the latest patched CODESYS release from the official CODESYS website, following the vendor's installation and update instructions.
• Update Festo Automation Suite to the latest available release and keep the FAS connector current.
• Verify that CODESYS Control V3 instances are at or above version 3.5.14.0 or otherwise no longer rely on the vulnerable default configuration.
• Monitor official CODESYS and Festo advisories for follow-on fixes and apply updates promptly.

Evidence notes

The source advisory title is 'CODESYS in Festo Automation Suite.' Its description states that CODESYS Control V3 products prior to 3.5.14.0 do not enable user access management or communication encryption by default, which can expose devices and credentials. The advisory metadata also lists affected Festo Automation Suite versions and shows publication on 2026-02-26 with a republication/revision on 2026-03-17.

Official resources