PatchSiren cyber security CVE debrief
CVE-2023-37547 CODESYS CVE debrief
CVE-2023-37547 describes an authenticated denial-of-service condition affecting multiple CODESYS products and versions as used in Festo Automation Suite. According to the advisory, a user who has already authenticated can send crafted network communication requests with inconsistent content that cause the CmpApp component to read from an invalid internal address, potentially crashing or destabilizing the service. In OT and industrial environments, that makes availability the primary concern.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS administrators, Festo Automation Suite users, teams running CODESYS-based engineering or runtime components, plant security teams, and vulnerability management staff responsible for authenticated network services in industrial environments.
Technical summary
The advisory says that after successful user authentication, specific crafted network communication requests with inconsistent content can trigger an invalid internal read in the CmpApp component. The impact is denial of service only; the published CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, reflecting network reachability, low attack complexity, and the need for user privileges.
Defensive priority
Medium overall, with elevated operational priority in OT environments because the impact is availability loss in a control/automation context and the vulnerable component is network-reachable after authentication.
Recommended defensive actions
- Identify whether Festo Automation Suite deployments include affected bundled CODESYS components or standalone CODESYS installations listed in the advisory.
- Upgrade to Festo Automation Suite version 2.8.0.138 or later, where CODESYS is no longer bundled and must be obtained separately.
- Install the latest patched CODESYS release directly from the official CODESYS website and follow vendor update instructions.
- Review authenticated access paths to the affected component and limit network exposure using segmentation and least-privilege access controls.
- Monitor Festo, CODESYS, CERT-VDE, and CISA advisories for additional remediation guidance and any follow-up updates.
Evidence notes
Source advisory: CISA CSAF ICSA-26-076-01, initially published 2026-02-26 and republished 2026-03-17. The advisory explicitly states the vulnerability affects multiple CODESYS products/versions and can lead to a denial-of-service condition after successful user authentication. Product listings in the source include Festo Automation Suite versions below 2.8.0.138 and specific CODESYS Development System versions integrated with the suite. No exploit code or reproduction steps are included here.
Official resources
-
CVE-2023-37547 CVE record
CVE.org
-
CVE-2023-37547 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the CSAF advisory on 2026-02-26 and republished it on 2026-03-17. The CVE record and related official references identify the issue as CVE-2023-37547 and associate it with ICSA-26-076-01.