PatchSiren cyber security CVE debrief
CVE-2023-37548 CODESYS CVE debrief
CVE-2023-37548 is an availability issue in multiple CODESYS-related products used with Festo Automation Suite. After a user successfully authenticates, specially crafted network communication requests with inconsistent content can make the CmpApp component read from an invalid address, which can lead to a denial-of-service condition. The advisory describes this as a distinct issue from neighboring CODESYS CVEs in the same family.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS administrators, engineering workstation owners, and patch managers running Festo Automation Suite or standalone CODESYS Development System components should review this issue, especially where authenticated network access to the affected software is possible.
Technical summary
The source advisory assigns CVSS 3.1 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The flaw is triggered only after successful user authentication and involves crafted network requests with inconsistent content that cause CmpApp to read internally from an invalid address. The reported impact is denial of service; no confidentiality or integrity impact is described in the supplied source.
Defensive priority
Medium. Prioritize remediation on systems that host affected Festo Automation Suite/CODESYS installations, particularly where those systems are reachable over the network and operational downtime would be disruptive.
Recommended defensive actions
- Inventory Festo Automation Suite deployments and any bundled or separately installed CODESYS components against the affected versions named in the advisory.
- Apply the latest patched CODESYS release from the official CODESYS channel and follow the vendor update instructions for the specific installation path.
- For Festo Automation Suite, install the vendor-released suite updates and keep the connector components current.
- Limit and monitor authenticated access to engineering systems, and watch for abnormal CODESYS network activity that could indicate probing or service disruption attempts.
Evidence notes
The supplied CISA CSAF advisory ICSA-26-076-01 republishes a Festo advisory and explicitly ties CVE-2023-37548 to Festo Automation Suite and CODESYS components. The source text states that authenticated crafted network requests with inconsistent content can drive CmpApp to read an invalid address, resulting in denial of service. The prompt’s vendor metadata is low-confidence and should be reviewed against the source advisory naming.
Official resources
-
CVE-2023-37548 CVE record
CVE.org
-
CVE-2023-37548 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory date supplied in the source corpus is 2026-02-26T08:00:00.000Z, with a CISA republication/update on 2026-03-17T06:00:00.000Z. Use the advisory dates for timing context; do not infer the CVE issue date from publication or rep