PatchSiren cyber security CVE debrief
CVE-2019-13548 Festo CVE debrief
CVE-2019-13548 is a critical, network-reachable stack overflow affecting the CODESYS V3 web server. In the CISA advisory published on 2026-02-26 and republished on 2026-03-17, specially crafted HTTP or HTTPS requests are described as capable of causing a denial-of-service condition and potentially remote code execution. The advisory is tied to CODESYS in the Festo Automation Suite context, and the supplied remediation guidance emphasizes moving to patched CODESYS releases and keeping the Festo Automation Suite connector current.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT/ICS defenders, plant engineers, and administrators responsible for Festo Automation Suite installations that include CODESYS components, especially where the CODESYS V3 web server may be reachable from the network.
Technical summary
The advisory describes a stack overflow in the CODESYS V3 web server for versions prior to 3.5.14.10. An attacker who can send crafted HTTP or HTTPS requests may be able to trigger service disruption or, in the worst case, remote code execution. The supplied CVSS vector indicates network attack, no privileges, no user interaction, and full impact on confidentiality, integrity, and availability.
Defensive priority
Critical. The vulnerability is remotely reachable and the advisory explicitly includes remote code execution as a possible outcome, so exposed systems should be prioritized for update and exposure reduction.
Recommended defensive actions
- Update CODESYS V3 web server installations to version 3.5.14.10 or later.
- If using Festo Automation Suite, install Festo Automation Suite 2.8.0.138 or later and follow the vendor's separate CODESYS installation and update instructions.
- Download patched CODESYS software only from the official CODESYS website and apply security updates promptly.
- Review whether the CODESYS web server is reachable from untrusted networks and restrict access where possible.
- Monitor CODESYS and Festo security advisories for follow-on updates or dependency guidance.
- Apply general ICS defense-in-depth and segmentation practices to limit the blast radius of a web-server compromise.
Evidence notes
All factual claims are drawn from the supplied CISA CSAF advisory ICSA-26-076-01 and its listed references. The advisory description states that CODESYS V3 web server versions prior to 3.5.14.10 are affected by crafted HTTP/HTTPS requests that can cause stack overflow, denial of service, and possible remote code execution. The remediation text states that from Festo Automation Suite 2.8.0.138 onward, CODESYS is no longer bundled and must be installed separately, and it directs customers to the official CODESYS website for patched versions. The supplied metadata contains a vendor/product mapping inconsistency, so scope should be validated against the cited advisory before operational changes.
Official resources
-
CVE-2019-13548 CVE record
CVE.org
-
CVE-2019-13548 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and republished it on 2026-03-17; those dates are used here for timing context. The supplied vendor/product metadata is not fully consistent, so the affected-scope details should be validated using,