PatchSiren cyber security CVE debrief
CVE-2019-9011 Festo CVE debrief
CVE-2019-9011 is a low-complexity information disclosure issue that can let a remote attacker identify valid usernames in affected software. The supplied corpus ties the issue to a CISA-republished Festo advisory for CODESYS-related products, but the CVE description itself names Pilz PMC programming tool 3.x before 3.5.17, so product attribution should be verified before remediation.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT/ICS administrators, engineers, and security teams responsible for CODESYS-based tooling, Festo Automation Suite deployments, and any exposed authentication interface that could be probed for valid account names.
Technical summary
The issue is username enumeration: an attacker can distinguish valid from invalid usernames through the affected product's authentication behavior. The supplied CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) matches a remote, unauthenticated disclosure with limited confidentiality impact and no direct integrity or availability impact.
Defensive priority
Medium. Prioritize if the affected software is reachable from untrusted networks or used in environments where account names can be leveraged for follow-on phishing or password attacks; otherwise address it in the next maintenance window.
Recommended defensive actions
- Verify the exact affected product and version against the vendor advisory before making changes, because the supplied corpus is inconsistent about whether the issue applies to Pilz PMC programming tool or Festo/CODESYS-b
- Update to the latest patched CODESYS release referenced by the vendor guidance, and apply the corresponding Festo Automation Suite update; the corpus states that Festo Automation Suite 2.8.0.138 no longer bundles CODESYS
- Follow the installation and update instructions provided by CODESYS so that all security fixes are applied, and keep monitoring CODESYS security advisories for new fixes
- Use CISA industrial control system recommended practices to reduce exposure of authentication services and to limit access to affected management interfaces
Evidence notes
The source corpus contains a product-mapping inconsistency: the CVE description says 'Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System),' while the CISA CSAF source item republishes a Festo advisory for Festo Automation Suite and bundled CODESYS components. The defensive summary is therefore limited to the evidence provided and avoids assuming a single definitive product owner beyond the supplied sources.
Official resources
-
CVE-2019-9011 CVE record
CVE.org
-
CVE-2019-9011 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and republished it on 2026-03-17; use those dates for disclosure timing. The corpus also points to a vendor advisory named FSA-202601, but the CVE description and advisory metadata do not fully line