PatchSiren cyber security CVE debrief
CVE-2025-41659 CODESYS CVE debrief
CVE-2025-41659 is a high-severity issue affecting CODESYS components used with Festo Automation Suite. A low-privileged remote attacker may access the runtime PKI folder, read or modify certificates and keys, and potentially make certificates appear trusted; if certificates are deleted, services remain available but communication may fall back to unencrypted mode. CISA’s advisory was published on 2026-02-26 and republished on 2026-03-17 from Festo’s vendor notice.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS operators, Festo Automation Suite administrators, and teams responsible for CODESYS deployments, certificate management, or encrypted industrial communications should prioritize this issue.
Technical summary
The advisory describes a network-reachable, low-privilege vulnerability in the CODESYS Control runtime system as shipped with certain Festo Automation Suite releases. Impacted configurations include Festo Automation Suite versions below 2.8.0.138 with bundled CODESYS Development System components noted in the advisory metadata. The reported effect is unauthorized read/write access to the PKI folder, which can expose certificate material, alter trust decisions, or remove certificates and force unencrypted communication without taking services offline.
Defensive priority
High. The issue affects certificate integrity and confidentiality on a remotely reachable path, and successful abuse can undermine trust decisions even though availability is preserved.
Recommended defensive actions
- Upgrade Festo Automation Suite to version 2.8.0.138 or later.
- Install the latest patched CODESYS release directly from the official CODESYS website, as Festo states CODESYS is no longer bundled starting with Festo Automation Suite 2.8.0.138.
- Follow the CODESYS installation and update guidance exactly so the security fixes are applied correctly.
- Keep the Festo Automation Suite connector updated using Festo-released updates.
- Review PKI-related file and folder access on affected systems and look for unexpected certificate or key changes.
- Verify that encrypted communications remain enabled after remediation and investigate any fallback to unencrypted operation.
- Monitor official Festo, CertVDE, CISA, and CODESYS advisories for follow-on updates or revised guidance.
Evidence notes
The source advisory text states that a low-privileged attacker can remotely access the CODESYS runtime PKI folder, read and write certificates and keys, and either extract sensitive data or cause certificates to be accepted as trusted. It also states that deleting certificates does not stop services, but leaves only unencrypted communication possible. The remediation text says that from Festo Automation Suite 2.8.0.138 onward, CODESYS is no longer bundled and customers should obtain the latest patched CODESYS release from the official CODESYS website. Timing context in the supplied source places the initial advisory publication on 2026-02-26 and a CISA republication on 2026-03-17.
Official resources
-
CVE-2025-41659 CVE record
CVE.org
-
CVE-2025-41659 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through official CISA and vendor advisories on 2026-02-26, with a CISA republication on 2026-03-17. This debrief is limited to the supplied official source material and does not add exploit or proof-of-concept detail.