PatchSiren cyber security CVE debrief
CVE-2022-47386 CODESYS CVE debrief
CVE-2022-47386 is a high-severity memory corruption issue reported by CISA for CODESYS components used in Festo Automation Suite. The advisory says an authenticated remote attacker could trigger a stack-based out-of-bounds write in the CmpTraceMgr component, which may lead to denial of service, memory overwriting, or remote code execution. CISA published the advisory on 2026-02-26 and republished it on 2026-03-17 with the initial Festo/CERT-VDE advisory content.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
Organizations using Festo Automation Suite installations that bundle or rely on CODESYS components, especially environments listed in the advisory as affected versions. OT/ICS operators, automation engineers, and vulnerability management teams should prioritize review because the issue is remotely reachable with authentication and can affect confidentiality, integrity, and availability.
Technical summary
The source advisory describes a stack-based out-of-bounds write in CmpTraceMgr within multiple CODESYS products and versions. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network exposure, low attack complexity, and required low privileges. Affected configurations include Festo Automation Suite versions below 2.8.0.138 and listed installations that include CODESYS Development System 3.0, 3.5.16.10, or 3.5.21.20 as documented in the advisory metadata.
Defensive priority
High. This is a remotely reachable memory corruption flaw with potential for service disruption and code execution. If affected systems are exposed to untrusted networks or rely on authenticated remote access, prioritize patching and configuration review promptly.
Recommended defensive actions
- Update Festo Automation Suite to a version at or above 2.8.0.138 where the bundled CODESYS behavior changed per the advisory.
- Install the latest patched CODESYS version directly from the official CODESYS website, following vendor installation and update guidance.
- Review whether any affected installations use the listed CODESYS Development System versions or external components identified in the advisory.
- Monitor Festo and CODESYS security advisories and apply updates promptly when new fixes are released.
- Keep the Festo Automation Suite connector current by installing FAS updates as they are released by Festo.
- Treat remote authenticated access paths to affected automation hosts as sensitive and restrict them to trusted administrative users and networks while remediation is underway.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory ICSA-26-076-01 and its referenced Festo/CERT-VDE materials. The advisory title is 'CODESYS in Festo Automation Suite.' The described vulnerability is an authenticated remote stack-based out-of-bounds write in CmpTraceMgr. The source metadata lists affected product combinations including Festo Automation Suite <2.8.0.138 and installations involving CODESYS Development System 3.0, 3.5.16.10, and 3.5.21.20. The supplied CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and no KEV entry was provided.
Official resources
-
CVE-2022-47386 CVE record
CVE.org
-
CVE-2022-47386 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory first published by CISA on 2026-02-26 and modified/reissued on 2026-03-17. No KEV entry was supplied in the source corpus.