PatchSiren cyber security CVE debrief
CVE-2022-31804 CODESYS CVE debrief
CVE-2022-31804 is a network-exploitable denial-of-service issue in CODESYS Gateway Server V2 used by FESTO's "CODESYS provided by Festo" software. The gateway does not verify that request size stays within expected limits, so an unauthenticated attacker can force arbitrary memory allocation and potentially crash the service through out-of-memory exhaustion. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, so the main risk is availability loss rather than confidentiality or integrity impact.
- Vendor
- CODESYS
- Product
- Software
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-03
- Original CVE updated
- 2024-12-03
- Advisory published
- 2024-12-03
- Advisory updated
- 2024-12-03
Who should care
OT/ICS operators using FESTO CODESYS provided by Festo, especially teams responsible for exposed gateway services, controller access controls, network segmentation, and availability monitoring.
Technical summary
The advisory describes an input validation failure in CODESYS Gateway Server V2: request sizes are not checked against expected bounds. Because the issue is unauthenticated and network reachable, a remote attacker can send oversized requests that drive memory allocation until the gateway runs out of memory and crashes. The affected product listing in the supplied CSAF marks "CODESYS provided by Festo all versions" as impacted.
Defensive priority
High: the flaw is unauthenticated, remotely reachable, and can take down an industrial gateway service by exhausting memory, which can disrupt OT operations.
Recommended defensive actions
- Review the FESTO/CISA advisory for CODESYS provided by Festo and confirm whether any vendor updates or hardening guidance apply in your environment.
- Enable password protection at login if no controller password is set; the supplied remediation notes that the password configuration file is not included in the default FFT backup and restore process and must be selected
- manually.
- Limit exposure of the Gateway Server V2 to trusted networks only and follow CISA ICS recommended practices for segmentation and defense in depth.
- Inventory all deployments of "CODESYS provided by Festo" and verify whether any affected gateway services are reachable from untrusted networks.
- Monitor gateway availability and memory usage for signs of abnormal request-driven exhaustion or service restarts.
Evidence notes
Based on the supplied CISA CSAF advisory ICSA-25-182-03 for FESTO, which lists "CODESYS provided by Festo all versions" as affected and describes the lack of request-size validation leading to unauthenticated memory exhaustion and crash. The remediation entry explicitly recommends enabling password protection at login when no controller password is configured. The supplied enrichment shows no KEV entry and no ransomware campaign use. The advisory revision history includes a same-day reference correction.
Official resources
-
CVE-2022-31804 CVE record
CVE.org
-
CVE-2022-31804 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied CISA CSAF advisory ICSA-25-182-03 / VDE-2024-059 on 2024-12-03, with a same-day revision that corrected one reference.