CVE-2022-47385 CODESYS CVE debrief

Who should care

Industrial control system defenders, OT/ICS administrators, and engineers running Festo Automation Suite installations that include affected CODESYS Development System components. Asset owners should also care if their workflow relies on externally installed CODESYS packages or if they maintain Festo Automation Suite deployments at versions earlier than the patched/bundling changes noted in the advisory.

Technical summary

The source advisory describes an authenticated remote stack-based out-of-bounds write in the CmpAppForce component of multiple CODESYS products. The affected product list in the advisory includes Festo Automation Suite versions below 2.8.0.138 and specific configurations involving CODESYS Development System 3.0, 3.5.16.10, and 3.5.21.20. The stated impact includes denial of service, memory corruption/overwriting, and possible remote code execution. The CVSS vector provided is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and the mapped weakness is CWE-787 (out-of-bounds write).

Defensive priority

High. This is network-reachable, requires authentication, and the vendor advisory explicitly lists denial-of-service, memory overwrite, and possible remote code execution outcomes. Even without KEV inclusion, the combination of OT exposure and high integrity/availability impact warrants prompt patching and inventory review.

Recommended defensive actions

• Update to the latest patched CODESYS release referenced by the vendor and apply it through the official CODESYS installation/update process.
• Review Festo Automation Suite deployments and identify systems running versions earlier than 2.8.0.138 or configurations that include the affected CODESYS Development System components.
• Install Festo Automation Suite updates as released by Festo, including the connector updates referenced in the remediation guidance.
• Monitor CODESYS and Festo security advisories regularly and apply updates promptly after validation in an OT-safe maintenance window.
• If the environment depends on separately installed CODESYS components, verify the installed version against the advisory before returning the system to service.

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSA-26-076-01 and its referenced Festo/CERT@VDE sources. The advisory states: authenticated remote attacker; stack-based out-of-bounds write; CmpAppForce component; denial of service, memory overwriting, or remote code execution. The product scope listed in the advisory centers on Festo Automation Suite installations involving CODESYS Development System versions 3.0, 3.5.16.10, and 3.5.21.20, with the patched/bundling note that CODESYS is no longer bundled starting with Festo Automation Suite 2.8.0.138. The CVSS vector and CWE-787 link are included in the source corpus. The vendor/product naming in the supplied metadata is inconsistent, so this debrief anchors on the advisory text rather than the low-confidence vendor field.

Official resources