PatchSiren cyber security CVE debrief
CVE-2023-3669 CODESYS CVE debrief
CVE-2023-3669 is a low-severity local brute-force weakness in CODESYS Development System prior to 3.5.19.20. The issue allows unlimited password guesses within an import dialog, which can weaken the confidentiality of protected imported content. In the supplied source corpus, CISA republished the Festo advisory for this issue on 2026-02-26 and updated the record on 2026-03-17.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- LOW 3.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
Organizations using Festo Automation Suite and any separately installed CODESYS Development System instance prior to 3.5.19.20, especially teams supporting engineering workstations or other local systems that use protected import dialogs.
Technical summary
The advisory describes a missing brute-force protection control in a CODESYS Development System import dialog. A local attacker with the ability to interact with the dialog can make unlimited password guesses. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, which matches the source's low-impact confidentiality-only assessment. The source also aligns this weakness with CWE-307 (improper restriction of excessive authentication attempts).
Defensive priority
Moderate for systems where local users or shared engineering workstations can reach the affected import workflow; otherwise lower priority because the attack is local and the reported severity is low. Patch promptly anyway, since brute-force weaknesses directly undermine password-based protection.
Recommended defensive actions
- Upgrade CODESYS Development System to version 3.5.19.20 or later.
- If using Festo Automation Suite, update to 2.8.0.138 or later and verify that any separately installed CODESYS component is also patched.
- Follow the vendor installation and update guidance referenced in the advisory before returning systems to service.
- Apply least-privilege and local-access controls on engineering workstations so only authorized users can reach protected import workflows.
- Monitor CODESYS and Festo security advisories and apply future updates promptly.
Evidence notes
The core finding comes from the CISA CSAF advisory ICSA-26-076-01, which republishes the Festo advisory FSA-202601. The source description states that CODESYS Development System prior to 3.5.19.20 lacks brute-force protection in an import dialog. The remediation text in the source also states that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be downloaded and installed separately by the customer. The supplied vendor metadata is low-confidence and inconsistent with the advisory title; the source corpus points to Festo Automation Suite and CODESYS rather than an unsupported generic vendor label.
Official resources
-
CVE-2023-3669 CVE record
CVE.org
-
CVE-2023-3669 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Use the advisory publication date supplied in the corpus as the timing context: initial publication on 2026-02-26 and CISA republication/update on 2026-03-17. The CVE identifier is not treated as the event date.