PatchSiren cyber security CVE debrief
CVE-2019-9010 Festo CVE debrief
CVE-2019-9010 is a critical authentication/authorization flaw in the CODESYS Gateway used by multiple CODESYS V3 products. According to the CISA CSAF advisory published on 2026-02-26 and updated on 2026-03-17, the gateway does not correctly verify ownership of a communication channel. The advisory says all variants of the listed CODESYS V3 products that include the CmpGateway component are affected in versions prior to v3.5.14.20, regardless of CPU type or operating system. For Festo Automation Suite users, the remediation guidance says to install the latest patched CODESYS release from the official CODESYS site and keep Festo Automation Suite connector updates current.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT/ICS operators, automation engineers, and administrators running CODESYS V3 components, especially CODESYS Gateway V3, CODESYS Development System, or Festo Automation Suite installations that rely on CODESYS.
Technical summary
The issue is an ownership-verification failure in the CODESYS Gateway communication channel handling. Because channel ownership is not correctly validated, an unauthorized party may be able to interact with gateway-managed communications. The advisory marks the issue as network-reachable with no privileges required and high confidentiality, integrity, and availability impact (CVSS 3.1: 9.8). Affected products include CODESYS Control for BeagleBone, emPC-A/iMX6, IOT2000, Linux, PFC100, PFC200, Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, and CODESYS V3 Development System, for versions prior to v3.5.14.20 when they contain CmpGateway.
Defensive priority
Immediate
Recommended defensive actions
- Inventory all systems using CODESYS V3 components, especially any installation that includes CmpGateway or CODESYS Gateway V3.
- Upgrade affected CODESYS products to v3.5.14.20 or later, following vendor instructions.
- If using Festo Automation Suite, update to the latest supported release and follow Festo’s guidance for separately installing CODESYS updates when required.
- Apply the latest patched CODESYS release from the official CODESYS website rather than relying on bundled copies.
- Keep Festo Automation Suite connector updates current and monitor CODESYS and CISA advisories for follow-on guidance.
- Reduce exposure of OT gateway services through network segmentation and restrict access to trusted administrative paths.
Evidence notes
Primary evidence comes from the CISA CSAF advisory source item and its mirrored vendor references. The source text explicitly states the channel-ownership verification flaw, the affected CODESYS V3 product list, and the version boundary of v3.5.14.20. The remediation text in the advisory states that from Festo Automation Suite 2.8.0.138 onward, CODESYS is no longer bundled and must be downloaded and installed separately by the customer. The input metadata shows low-confidence vendor attribution, so the product/vendor mapping should be treated carefully and reviewed against the advisory title and affected-product list.
Official resources
-
CVE-2019-9010 CVE record
CVE.org
-
CVE-2019-9010 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Use the supplied dates as advisory timing context: published on 2026-02-26 and modified on 2026-03-17. CISA republished the vendor advisory content during that period, and those dates should be treated as the advisory record dates in this d