PatchSiren cyber security CVE debrief
CVE-2022-32139 CODESYS CVE debrief
CVE-2022-32139 affects multiple CODESYS products as referenced in the CISA CSAF advisory for Festo Automation Suite. A low-privileged remote attacker can craft a request that triggers an out-of-bounds read and results in denial of service without user interaction. The advisory was initially published on 2026-02-26 and republished on 2026-03-17.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT and industrial automation teams running Festo Automation Suite or bundled CODESYS components, especially on engineering workstations or any system that may be reachable by untrusted networks. Security teams responsible for patch management, asset inventory, and supplier advisories should prioritize this issue because it is remotely reachable and impacts availability.
Technical summary
The advisory describes an out-of-bounds read in multiple CODESYS products. The attack requires only low privileges and no user interaction, and the stated impact is denial of service. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with a network-reachable availability issue. The remediation guidance indicates that from Festo Automation Suite 2.8.0.138 onward, CODESYS is no longer bundled and must be installed separately, with customers advised to obtain patched CODESYS releases from the official vendor and keep the FAS connector updated.
Defensive priority
Medium-High. The CVSS score is 6.5 (Medium), but the issue is network-reachable, requires no user interaction, and can disrupt availability in OT environments. Prioritize remediation for any exposed or operationally critical engineering systems running affected Festo/CODESYS combinations.
Recommended defensive actions
- Update to the latest patched CODESYS release from the official CODESYS website.
- If using Festo Automation Suite, confirm whether the affected bundled CODESYS components are present and update the suite or connector to the latest Festo release.
- Follow the vendor installation and update instructions so all security fixes are applied correctly.
- Monitor CODESYS security advisories and apply updates promptly when new fixes are released.
- Review OT network exposure and restrict access to engineering systems that run CODESYS-based tooling.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory metadata and referenced official links. The advisory text explicitly states that a low-privileged remote attacker can craft a request causing an out-of-bounds read and denial of service, with no user interaction required. Product naming in the source ties the issue to Festo Automation Suite and multiple CODESYS products. The vendor attribution field in the prompt is marked low confidence and should be reviewed against the advisory source.
Official resources
-
CVE-2022-32139 CVE record
CVE.org
-
CVE-2022-32139 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and issued a CISA republication on 2026-03-17. The supplied sources do not include exploit code or weaponization details, and this debrief omits such material.