PatchSiren cyber security CVE debrief
CVE-2022-47388 CODESYS CVE debrief
CVE-2022-47388 is a high-severity memory corruption flaw in the CmpTraceMgr component used by multiple CODESYS products. In the Festo Automation Suite context, an authenticated remote attacker may be able to write past the stack boundary, which can result in denial of service, memory overwriting, or remote code execution. The advisory recommends moving to patched CODESYS releases and keeping the Festo Automation Suite connector updated.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
Administrators, engineers, and security teams responsible for Festo Automation Suite installations that include CODESYS Development System components, especially environments covered by the advisory's affected version matrix. This is most relevant where authenticated remote access to the affected engineering software is possible.
Technical summary
The advisory describes a stack-based out-of-bounds write in CmpTraceMgr affecting multiple CODESYS products and versions. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates a network-reachable issue that is exploitable with low complexity and low privileges, without user interaction, and with potentially complete confidentiality, integrity, and availability impact. The Festo-linked advisory scope includes Festo Automation Suite installations below 2.8.0.138 with bundled CODESYS Development System versions noted by the source, and the remediation notes that from 2.8.0.138 onward CODESYS is no longer bundled with the suite.
Defensive priority
High. The issue is remotely reachable, requires authentication but no user interaction, and is described as capable of denial of service, memory overwrite, or remote code execution.
Recommended defensive actions
- Inventory all Festo Automation Suite deployments and identify any installations that include CODESYS Development System components named in the advisory.
- Upgrade Festo Automation Suite to version 2.8.0.138 or later where applicable, and verify the updated connector is installed.
- Download and install the latest patched CODESYS release directly from the official CODESYS website.
- Follow the vendor's installation and update guidance so that all CODESYS security fixes are applied.
- Monitor CODESYS and Festo security advisories regularly and apply updates promptly.
- Validate after patching that no bundled or separately installed vulnerable CODESYS components remain in use.
Evidence notes
All product, impact, and remediation statements are drawn from the supplied CISA CSAF advisory ICSA-26-076-01 and its referenced Festo/CERT@VDE materials. The source identifies an authenticated remote stack-based out-of-bounds write in CmpTraceMgr, with consequences including DoS, memory overwriting, and RCE. The remediation text specifically instructs customers to use patched CODESYS releases, keep Festo Automation Suite updated, and notes that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled.
Official resources
-
CVE-2022-47388 CVE record
CVE.org
-
CVE-2022-47388 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Initial CISA publication: 2026-02-26T08:00:00.000Z. Source republication/update: 2026-03-17T06:00:00.000Z. The advisory identifier is ICSA-26-076-01, republishing Festo SE & Co. KG advisory FSA-202601.