PatchSiren cyber security CVE debrief
CVE-2019-9012 Festo CVE debrief
CVE-2019-9012 is a network-reachable denial-of-service issue affecting 3S-Smart CODESYS V3 products that include the CmpGateway component. According to the supplied CISA advisory, a crafted communication request can trigger uncontrolled memory allocations and may make the affected product unavailable. The advisory applies to all variants of the listed CODESYS V3 products prior to v3.5.14.20, regardless of CPU type or operating system. The supplied source also ties the issue to Festo Automation Suite distribution details and notes that from version 2.8.0.138 onward, CODESYS is no longer bundled and must be installed separately.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
Industrial control system operators, engineers, and administrators running CODESYS V3-based products that include CmpGateway, especially CODESYS Control, Gateway V3, or Development System deployments. Organizations using Festo Automation Suite should also review whether their installation depends on a bundled or separately installed CODESYS component.
Technical summary
The advisory describes a flaw in how affected CODESYS V3 products handle a crafted communication request. That request may cause uncontrolled memory allocations, leading to denial of service. The source identifies the affected scope as all variants of specific CODESYS V3 products containing CmpGateway, in versions prior to v3.5.14.20, and states the impact is availability-only (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Defensive priority
High. The issue can be triggered over the network and can take affected automation components out of service, which is especially important in industrial environments where availability matters more than confidentiality or integrity.
Recommended defensive actions
- Upgrade affected CODESYS V3 products to v3.5.14.20 or later, as identified in the advisory.
- If using Festo Automation Suite, follow the vendor guidance to install the latest patched CODESYS release directly from the official CODESYS website.
- Keep Festo Automation Suite connector components up to date by applying FAS updates as released by Festo.
- Review whether any deployed systems include the CmpGateway component and inventory all affected CODESYS V3 variants listed in the advisory.
- Use CISA industrial control system defense-in-depth practices to reduce exposure, including restricting network access to engineering and gateway services.
Evidence notes
The supplied CISA CSAF advisory (ICSA-26-076-01) states that a crafted communication request may cause uncontrolled memory allocations and denial of service, and that all variants of the listed CODESYS V3 products prior to v3.5.14.20 containing CmpGateway are affected. The source metadata lists publication on 2026-02-26 and an update/republish on 2026-03-17. The advisory title in the source item is 'CODESYS in Festo Automation Suite,' and the remediation text says that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled.
Official resources
-
CVE-2019-9012 CVE record
CVE.org
-
CVE-2019-9012 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Per the supplied source timeline, the advisory was published on 2026-02-26 and republished/updated on 2026-03-17. Those dates describe the advisory record in the provided corpus and should not be treated as the original issue date.