PatchSiren cyber security CVE debrief
CVE-2021-34595 CODESYS CVE debrief
CVE-2021-34595 is a memory-corruption vulnerability in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT caused by crafted requests with invalid offsets. In affected deployments, this can lead to denial of service or local memory overwrite, and the supplied advisory rates the issue as high severity (CVSS 8.1). The recommended path is to move to patched CODESYS releases and, where applicable, upgrade Festo Automation Suite to versions that no longer bundle CODESYS.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS operators, plant engineers, and system integrators using Festo Automation Suite with bundled CODESYS components, especially any environment that may still include CODESYS V2 Runtime Toolkit 32 Bit full or PLCWinNT versions prior to V2.4.7.56.
Technical summary
The advisory describes an out-of-bounds read/write condition triggered by a crafted request with invalid offsets. The vulnerable component is CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to V2.4.7.56. In the supplied CISA CSAF record, the issue is associated with Festo Automation Suite deployments that included CODESYS components, and the affected CVSS vector indicates network reachability with low privileges and high integrity/availability impact.
Defensive priority
High — prioritize patching and component inventory in OT environments because the flaw can affect availability and integrity and is associated with a low-privilege, network-reachable attack surface.
Recommended defensive actions
- Update CODESYS to the latest patched release from the official CODESYS website and confirm the installed version is at or above V2.4.7.56 for the affected runtime components.
- Upgrade Festo Automation Suite to a version that no longer bundles CODESYS (the supplied remediation notes this change starting with version 2.8.0.138) and keep the FAS connector current.
- Inventory systems for affected CODESYS V2 runtime components and verify whether PLCWinNT or the 32-bit full runtime is present before returning systems to production.
- Apply OT defensive controls from CISA recommended practices, including restricting access to engineering hosts, segmenting networks, and monitoring vendor advisories for updates.
- Validate patches in a maintenance window and document rollback plans for production systems that depend on the affected components.
Evidence notes
This debrief is based on the supplied CISA CSAF source item ICSA-26-076-01 and its referenced Festo/CERT@VDE advisory materials. The source states that a crafted request with invalid offsets can trigger out-of-bounds read/write behavior in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to V2.4.7.56. The supplied record does not include KEV status or active exploitation claims. The vendor/product labeling in the supplied metadata is mixed, so deployment scope should be verified against the cited advisory and installed component inventory.
Official resources
-
CVE-2021-34595 CVE record
CVE.org
-
CVE-2021-34595 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Per the supplied timeline, the advisory record was published on 2026-02-26 and republished on 2026-03-17. No KEV entry is included in the supplied data.