CVE-2019-13532 Festo CVE debrief

Who should care

OT and ICS administrators, control engineers, and asset owners running CODESYS V3 web servers, especially those deployed through or alongside Festo Automation Suite.

Technical summary

The advisory describes a network-reachable web server issue in CODESYS V3 versions before 3.5.14.10. An attacker who can send crafted HTTP or HTTPS requests may be able to access files outside the controller's restricted working directory. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which aligns with a high-severity confidentiality impact and no required privileges or user interaction.

Defensive priority

High. Prioritize any reachable CODESYS web server in an OT environment, with the highest urgency for systems exposed beyond tightly controlled administration networks.

Recommended defensive actions

• Upgrade CODESYS V3 web server installations to version 3.5.14.10 or later.
• If using Festo Automation Suite, move to version 2.8.0.138 or later and confirm the CODESYS component is handled per the advisory guidance.
• Download patched CODESYS releases only from the official CODESYS website and follow the vendor's update instructions.
• Restrict access to controller web interfaces to trusted administration networks and keep CODESYS and Festo advisories under active monitoring.
• Keep the Festo Automation Suite connector current by applying FAS updates as they are released by Festo.

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSA-26-076-01, which was initially published on 2026-02-26 and republished on 2026-03-17. The source text states that CODESYS V3 web server versions prior to 3.5.14.10 may allow specially crafted HTTP or HTTPS requests to access files outside the controller's restricted working directory. The remediation section states that Festo Automation Suite 2.8.0.138 no longer bundles CODESYS and directs customers to install the latest patched CODESYS release from the official CODESYS website.

Official resources