PatchSiren cyber security CVE debrief
CVE-2020-12069 CODESYS CVE debrief
CVE-2020-12069 describes a weak password-hashing issue in CODESYS V3 products prior to V3.5.16.0 that include CmpUserMgr. In affected systems, the runtime stores online communication passwords using a weak hashing algorithm, which can allow a local attacker with low privileges to gain full control of the device. The CISA republication dated 2026-02-26 references a Festo advisory republished on 2026-03-17 and ties the issue to Festo Automation Suite deployments that bundle or reference CODESYS components.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT/ICS administrators, Festo Automation Suite users, and teams operating CODESYS V3-based systems that include CmpUserMgr. Any organization with local-user access on engineering or runtime hosts should treat this as a credential-protection issue with device-takeover impact.
Technical summary
According to the advisory, CODESYS V3 products before V3.5.16.0 that contain CmpUserMgr store online communication passwords with a weak hashing algorithm. The stated attack path is local and requires low privileges, but the impact is severe: disclosure or recovery of protected communication credentials can lead to full device control. The advisory also lists Festo Automation Suite product combinations affected when they include CODESYS components. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
High. This is a local-attack, credential-protection weakness with potential full compromise of an industrial device, so remediation should be prioritized for any exposed or shared engineering host and any affected CODESYS/Festo installation.
Recommended defensive actions
- Upgrade to a patched CODESYS release at or above V3.5.16.0, as identified in the advisory.
- For Festo Automation Suite deployments, follow Festo's guidance that starting with version 2.8.0.138 CODESYS is no longer bundled and must be downloaded and installed separately.
- Download and install the latest patched CODESYS version directly from the official CODESYS website.
- Follow CODESYS installation and update instructions to ensure security fixes are applied correctly.
- Keep the Festo Automation Suite connector updated by installing FAS updates when released by Festo.
- Monitor CODESYS security advisories and apply updates promptly, especially on systems where local users can access the runtime host.
Evidence notes
The debrief is based on the CISA CSAF advisory record for ICSA-26-076-01 and the linked official references. The source explicitly states that CODESYS V3 products prior to V3.5.16.0 containing CmpUserMgr use a weak hashing algorithm for online communication passwords, enabling a low-privilege local attacker to gain full control. Product attribution in the intake is mixed, so the response stays anchored to the advisory text and the Festo Automation Suite/CODESYS combination mentioned there.
Official resources
-
CVE-2020-12069 CVE record
CVE.org
-
CVE-2020-12069 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory published by CISA on 2026-02-26 and republished/updated on 2026-03-17; no KEV listing is provided in the supplied data.