PatchSiren cyber security CVE debrief
CVE-2019-9008 Festo CVE debrief
CVE-2019-9008 is a high-severity privilege-escalation issue affecting 3S-Smart CODESYS V3 through 3.5.12.30. According to the CISA-republished advisory, a user with low privileges can take full control of the runtime, which makes this especially important for industrial automation environments using affected CODESYS components.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT/ICS operators, industrial automation engineers, and system administrators running CODESYS-based runtime environments—especially Festo Automation Suite installations that bundled CODESYS before version 2.8.0.138.
Technical summary
The advisory describes a low-privilege attack path to full runtime control in CODESYS V3 through 3.5.12.30. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8 High), indicating network-reachable impact with no user interaction required and potential for high confidentiality, integrity, and availability effects.
Defensive priority
High. In OT environments, a low-privilege path to runtime control can affect production logic and safety-adjacent operations. Systems running affected CODESYS versions or Festo Automation Suite deployments that include them should be prioritized for verification and update.
Recommended defensive actions
- Inventory Festo Automation Suite and CODESYS installations and confirm whether any affected versions are present.
- Upgrade Festo Automation Suite to version 2.8.0.138 or later, where CODESYS is no longer bundled.
- Download the latest patched CODESYS release directly from the official CODESYS website and follow vendor installation/update instructions.
- Review and apply Festo connector and suite updates as they are released.
- Monitor CODESYS security advisories and establish a prompt patching process for OT systems.
- Recheck least-privilege access controls and segment OT assets to reduce the blast radius of a compromised runtime.
Evidence notes
Source corpus ties this CVE to CISA’s CSAF advisory ICSA-26-076-01 and the republished Festo advisory FSA-202601. The advisory text states: 'An issue was discovered in 3S-Smart CODESYS V3 through 3.5.12.30. A user with low privileges can take full control over the runtime.' Remediation notes state that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be downloaded and installed separately. The supplied timeline shows initial publication on 2026-02-26 and modification/republication on 2026-03-17.
Official resources
-
CVE-2019-9008 CVE record
CVE.org
-
CVE-2019-9008 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory on 2026-02-26, with a CISA republication of the vendor advisory recorded on 2026-03-17.