CVE-2023-37558 CODESYS CVE debrief

Who should care

OT and engineering teams running Festo Automation Suite installations that include affected CODESYS components, especially where authenticated users can access the service. Security and operations staff should also care if system availability is important to production or commissioning workflows.

Technical summary

According to the CISA CSAF advisory for ICSA-26-076-01, the flaw occurs after successful authentication and is triggered by specific crafted network communication requests with inconsistent content. The result is an internal invalid-address read in CmpAppForce, which can lead to a denial-of-service condition. The advisory lists affected Festo Automation Suite configurations including versions below 2.8.0.138 and bundled CODESYS Development System components such as 3.0, 3.5.16.10, and 3.5.21.20.

Defensive priority

Medium

Recommended defensive actions

• Update to the latest patched CODESYS release from the official CODESYS website.
• Apply Festo Automation Suite updates as released by Festo, including connector updates.
• Review which systems still bundle or rely on affected CODESYS versions and plan remediation accordingly.
• Limit authenticated access to affected OT/engineering services to only the users who need it.
• Monitor vendor security advisories for follow-on fixes or version-specific guidance.

Evidence notes

Primary evidence comes from CISA's CSAF advisory ICSA-26-076-01 for 'CODESYS in Festo Automation Suite' published on 2026-02-26 and republished from Festo on 2026-03-17. The advisory description states that after successful authentication, crafted network communication requests with inconsistent content can cause CmpAppForce to read from an invalid address, leading to denial of service. The source metadata lists affected Festo Automation Suite and CODESYS Development System versions and remediation guidance to install patched CODESYS releases and keep Festo updates current.

Official resources