PatchSiren cyber security CVE debrief
CVE-2023-37553 CODESYS CVE debrief
CVE-2023-37553 affects multiple versions of CODESYS products used in Festo Automation Suite. A successful authenticated user can send specially crafted network communication requests with inconsistent content that cause the CmpAppBP component to read from an invalid internal address, creating a denial-of-service risk. The advisory is tied to Festo Automation Suite/CODESYS deployments rather than a standalone internet-facing service.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT administrators, industrial control engineers, and security teams responsible for Festo Automation Suite installations and any affected CODESYS components. This is especially relevant where CODESYS is bundled with or separately installed alongside Festo Automation Suite and where authenticated users can reach the affected network interface.
Technical summary
The source advisory describes an authenticated, network-reachable flaw in CmpAppBP: crafted requests with inconsistent content can trigger an invalid internal address read. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with a medium-severity availability impact rather than confidentiality or integrity impact. Affected products in the source include Festo Automation Suite versions below 2.8.0.138 and specific CODESYS Development System combinations listed in the advisory.
Defensive priority
Medium. Prioritize remediation on affected Festo Automation Suite/CODESYS systems because the issue is network-reachable after authentication and can disrupt availability. If the component is exposed to multiple trusted users or shared operational environments, treat it as a higher operational risk.
Recommended defensive actions
- Upgrade to a patched CODESYS release obtained from the official CODESYS source referenced in the advisory.
- Apply Festo Automation Suite updates promptly, including the connector updates Festo releases for the suite.
- Verify whether your Festo Automation Suite installation includes affected bundled or separately installed CODESYS components.
- Restrict authenticated access to the affected network path to only necessary operators and systems.
- Monitor CODESYS and Festo security advisories for follow-on fixes or revised affected-version guidance.
- Document which systems are on Festo Automation Suite 2.8.0.137 or earlier and schedule remediation first for exposed or production OT assets.
Evidence notes
All claims here are taken from the supplied CISA CSAF advisory and its referenced official sources. The advisory states that, after successful authentication, crafted network communication requests with inconsistent content can cause CmpAppBP to read from an invalid address, potentially resulting in denial of service. The supplied remediation text states that from Festo Automation Suite 2.8.0.138 onward, CODESYS is no longer bundled and that customers should install patched CODESYS versions and keep the FAS connector updated. The vendor mapping in the provided data is low-confidence and should be validated before use in asset inventories.
Official resources
-
CVE-2023-37553 CVE record
CVE.org
-
CVE-2023-37553 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the CSAF advisory on 2026-02-26 and republished it on 2026-03-17 to reflect the vendor advisory revision. Use the 2026-02-26 published date as the disclosure date for this CVE record.