CVE-2022-4048 CODESYS CVE debrief

Who should care

OT/ICS teams, Festo Automation Suite users, CODESYS integrators, and administrators of engineering workstations or hosts where local access is possible.

Technical summary

The advisory describes inadequate encryption strength in CODESYS Development System V3 prior to 3.5.18.40. The CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating local exploitation with no privileges or user interaction, and strong confidentiality and integrity impact. CISA’s source item ties the issue to Festo Automation Suite deployments and states that, starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be obtained separately from the official CODESYS website.

Defensive priority

High for OT environments with local engineering-workstation access.

Recommended defensive actions

• Inventory Festo Automation Suite installations and verify whether any deployment includes CODESYS Development System versions prior to 3.5.18.40.
• Upgrade CODESYS to the latest patched version from the official CODESYS website.
• Update Festo Automation Suite to version 2.8.0.138 or later, and keep the Festo Automation Suite connector current.
• Limit and monitor local access to engineering workstations and systems that can modify boot application code.
• Track vendor advisories from CODESYS, Festo, CertVDE, and CISA for follow-on updates or clarified affected versions.

Evidence notes

This debrief is based on the supplied CISA CSAF source item (ICSA-26-076-01) and the linked official references. The vulnerable component is explicitly named as CODESYS Development System V3 prior to 3.5.18.40. The supplied vendor metadata is low-confidence and should be treated as needing review because the advisory content centers on Festo Automation Suite bundling CODESYS components rather than a standalone FESTO product claim.

Official resources