PatchSiren cyber security CVE debrief
CVE-2022-47392 CODESYS CVE debrief
CVE-2022-47392 is a medium-severity availability issue affecting CmpApp/CmpAppBP/CmpAppForce components in multiple CODESYS products used by Festo Automation Suite. According to the advisory, an authenticated remote attacker can exploit improper input validation to read from an invalid address, which can lead to a denial-of-service condition.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT and automation teams using Festo Automation Suite or separately installed CODESYS components, especially administrators responsible for engineering workstations, update management, and remotely accessible industrial systems.
Technical summary
The source advisory describes improper input validation in the CmpApp/CmpAppBP/CmpAppForce components of multiple CODESYS products. An attacker with authentication and remote network access may trigger an invalid-address read that affects availability only. The supplied CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, matching a denial-of-service outcome rather than confidentiality or integrity impact. The advisory’s affected-product listings include Festo Automation Suite versions below 2.8.0.138 and specific CODESYS Development System variants referenced by the vendor.
Defensive priority
Medium. Prioritize patching in any environment where CODESYS-based engineering software is remotely reachable by authenticated users, and treat connected OT deployments as higher operational-risk environments even though the issue is limited to denial of service.
Recommended defensive actions
- Upgrade Festo Automation Suite to version 2.8.0.138 or later, where CODESYS is no longer bundled with the suite.
- Install the latest patched CODESYS release directly from the official CODESYS website and follow the vendor’s update instructions.
- If CODESYS is installed separately, verify that the local installation is patched before returning the workstation or engineering system to production use.
- Keep the Festo Automation Suite connector up to date by applying FAS updates as they are released.
- Monitor Festo and CODESYS security advisories regularly and apply future security updates promptly.
Evidence notes
Primary evidence comes from CISA’s CSAF advisory ICSA-26-076-01, which republishes Festo SE & Co. KG advisory FSA-202601. The source text explicitly identifies improper input validation in CmpApp/CmpAppBP/CmpAppForce, states that an authenticated remote attacker may read from an invalid address, and ties the impact to denial of service. The remediation section states that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be installed separately, with customers directed to use patched CODESYS releases and keep the FAS connector updated.
Official resources
-
CVE-2022-47392 CVE record
CVE.org
-
CVE-2022-47392 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and republished it on 2026-03-17 as an initial CISA republication of Festo SE & Co. KG advisory FSA-202601.