PatchSiren cyber security CVE debrief
CVE-2023-37549 CODESYS CVE debrief
CVE-2023-37549 is an authenticated remote denial-of-service issue affecting multiple CODESYS product versions used in Festo Automation Suite. According to the advisory, specially crafted network communication requests with inconsistent content can make the CmpApp component read from an invalid internal address, which can disrupt the service and potentially stop affected systems from operating normally.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS operators, Festo Automation Suite administrators, and teams that manage environments using bundled or separately installed CODESYS components should review exposure. Security and patch management staff should also confirm whether any affected versions are deployed in production or engineering workstations.
Technical summary
The advisory states that after successful user authentication, crafted network requests with inconsistent content can cause CmpApp to read from an invalid address. The impact described is denial of service (availability only), with no confidentiality or integrity impact stated. The affected scope in the CSAF includes multiple Festo Automation Suite and CODESYS Development System version combinations, and Festo notes that from Automation Suite 2.8.0.138 onward CODESYS is no longer bundled and must be installed separately.
Defensive priority
Medium. The issue is network-reachable and can cause denial of service, but it requires successful authentication and the published impact is availability-only. Prioritize if the affected environment is operationally critical or if the vulnerable CODESYS components are broadly deployed.
Recommended defensive actions
- Identify whether Festo Automation Suite versions below 2.8.0.138 are installed, especially where they include CODESYS Development System components listed in the advisory.
- Update to the latest patched CODESYS release obtained directly from the official CODESYS website, following the vendor’s installation and update guidance.
- Install the latest Festo Automation Suite updates so the connector remains current.
- Review asset inventory for any separately installed CODESYS components that may remain after a Festo Automation Suite update.
- Monitor CODESYS and Festo security advisories and apply relevant fixes promptly in OT/ICS change windows.
- If immediate patching is not possible, limit authenticated access to the affected engineering or network interfaces and validate that only authorized users can reach them.
Evidence notes
Primary evidence comes from CISA CSAF ICSA-26-076-01, which republishes the Festo advisory FSA-202601 on 2026-03-17 after the original 2026-02-26 publication. The advisory explicitly describes the post-authentication invalid address read in CmpApp and limits the stated impact to denial of service. Product/version scope and remediation guidance are taken from the advisory metadata and remediation fields. No exploit code or unsupported impact claims are included.
Official resources
-
CVE-2023-37549 CVE record
CVE.org
-
CVE-2023-37549 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2023-37549 was publicly published on 2026-02-26 and republished/updated in the CISA advisory stream on 2026-03-17. The source material ties the issue to Festo Automation Suite and CODESYS-related components, with a later advisory update