PatchSiren cyber security CVE debrief
CVE-2019-9009 Festo CVE debrief
CVE-2019-9009 is a network-exploitable denial-of-service issue in 3S-Smart CODESYS before 3.5.15.0. According to the advisory corpus, crafted network packets can cause the Control Runtime to crash, which maps to high availability impact and no documented confidentiality or integrity impact in the supplied CVSS vector. For environments using Festo Automation Suite with bundled CODESYS components, this matters because the advisory ties the vulnerable software to Festo distributions and recommends moving to the updated Festo Automation Suite release path and applying the latest patched CODESYS build from the official vendor source.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT and industrial automation teams running CODESYS Control Runtime, especially deployments bundled with or managed through Festo Automation Suite. Asset owners, patch coordinators, and operators responsible for network-exposed ICS engineering or runtime systems should prioritize review.
Technical summary
The issue is described as a flaw in 3S-Smart CODESYS before 3.5.15.0 where crafted network packets can crash the Control Runtime. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a remotely reachable availability-only impact. The CISA-republished CSAF advisory connects the problem to Festo Automation Suite deployments that include CODESYS components and notes that Festo Automation Suite 2.8.0.138 no longer bundles CODESYS.
Defensive priority
High. The attack surface is network-based and requires no privileges or user interaction, and the primary impact is service interruption in an industrial runtime environment. Treat as a prompt availability-risk remediation for any exposed or operational CODESYS instances.
Recommended defensive actions
- Confirm whether any CODESYS Control Runtime instances in your environment are running versions before 3.5.15.0.
- If you use Festo Automation Suite, move to the vendor-recommended updated release path and ensure the bundled or separately installed CODESYS component is patched.
- Download and install the latest patched CODESYS release from the official CODESYS website, following vendor instructions.
- Keep Festo Automation Suite connector components current and monitor both Festo and CODESYS security advisories for follow-on updates.
- Reduce exposure of OT/ICS control services to untrusted networks where feasible and apply segmentation and monitoring around systems that must remain reachable.
Evidence notes
The source corpus states: "An issue was discovered in 3S-Smart CODESYS before 3.5.15.0. Crafted network packets cause the Control Runtime to crash." The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The CISA CSAF advisory (ICSA-26-076-01) was initially published on 2026-02-26 and republished on 2026-03-17, and its remediation text says that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and customers should install the latest patched CODESYS version separately.
Official resources
-
CVE-2019-9009 CVE record
CVE.org
-
CVE-2019-9009 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA’s CSAF advisory for this issue was first published on 2026-02-26 and republished on 2026-03-17. The advisory identifies the vulnerable CODESYS versions as those before 3.5.15.0 and ties the issue to Festo Automation Suite deployments.