PatchSiren cyber security CVE debrief
CVE-2023-37545 CODESYS CVE debrief
CVE-2023-37545 is a medium-severity denial-of-service issue in CODESYS components used in Festo Automation Suite. According to the advisory, a user who has already authenticated can send specific crafted network communication requests with inconsistent content and cause the CmpApp component to read from an invalid internal address. The practical outcome is a crash or service disruption rather than a direct confidentiality or integrity impact.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS operators, plant engineers, and IT/security teams running Festo Automation Suite or affected CODESYS Development System installations should review this CVE. It matters most where authenticated users can reach the impacted service and where an application outage would interrupt engineering, commissioning, or production workflows.
Technical summary
The advisory describes an authenticated network-triggered flaw in CmpApp. A valid user can submit crafted requests whose content is inconsistent enough to make CmpApp read from an invalid address internally, which can lead to denial of service. The source does not describe code execution or data corruption, and it explicitly distinguishes this issue from CVE-2023-37546 through CVE-2023-37550.
Defensive priority
Medium priority. The issue requires successful authentication and is reported as denial of service only, but it affects industrial software where availability is often critical. Prioritize patching if the affected CODESYS component is exposed to operational users or remote engineering access.
Recommended defensive actions
- Upgrade to the latest patched CODESYS version from the official CODESYS website.
- Follow the installation and update instructions provided by CODESYS so security fixes are applied correctly.
- Keep monitoring CODESYS security advisories and apply updates promptly.
- If using Festo Automation Suite, install the latest FAS updates as released by Festo.
- For deployments that previously relied on bundled CODESYS, note that Festo Automation Suite 2.8.0.138 and later no longer bundles CODESYS and requires separate customer installation and maintenance of the component.
- Apply ICS defensive practices such as limiting authenticated access to trusted users and segments, and monitoring for abnormal application crashes or service interruptions.
Evidence notes
The CVE description and CISA CSAF advisory state that the flaw affects multiple CODESYS products and versions and can cause a denial-of-service condition after successful authentication as a user. The supplied advisory metadata also lists affected Festo Automation Suite and CODESYS Development System versions, remediation steps, and a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. No exploit code, weaponization details, or KEV listing were provided in the source corpus.
Official resources
-
CVE-2023-37545 CVE record
CVE.org
-
CVE-2023-37545 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory timeline supplied with the record shows initial publication on 2026-02-26 and a revision/republication on 2026-03-17. The CISA source history indicates the second entry is an initial CISA republication of the Festo SE & Co.