PatchSiren cyber security CVE debrief
CVE-2019-9013 Festo CVE debrief
CVE-2019-9013 describes a transport-protection weakness in 3S-Smart CODESYS V3 products: the application may use non-TLS based encryption, which can leave user credentials insufficiently protected while they are in transit. The advisory says all variants of the listed CODESYS V3 products that include the CmpUserMgr component are affected, regardless of CPU type or operating system. CISA’s advisory assigns CVSS 3.1 8.8 (High), so this is a high-priority credential-protection issue for OT/ICS environments that rely on CODESYS components.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
Operators, integrators, and administrators who run affected CODESYS V3 products, especially Festo Automation Suite deployments that include or depend on CODESYS components, should treat this as important. Security teams responsible for industrial control systems should also inventory any CmpUserMgr-enabled CODESYS installations and confirm update status.
Technical summary
The issue is not described as code execution or device takeover; it is a weakness in how credentials are protected during transport. The advisory states that some CODESYS V3 products may use non-TLS-based encryption, which means credentials can be insufficiently protected in transit. The affected scope is broad: all variants of the listed products containing the CmpUserMgr component, across CPU types and operating systems. The source advisory also provides CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting a high-severity classification in the published record.
Defensive priority
High. This is a credential-exposure issue in industrial software, and the advisory scope is broad enough to justify prompt asset identification and patch verification.
Recommended defensive actions
- Identify all installations of the affected CODESYS V3 products and confirm whether the CmpUserMgr component is present.
- Update to the latest patched CODESYS release from the official CODESYS website, following the vendor’s installation and update instructions.
- For Festo Automation Suite environments, apply the latest FAS updates and verify which CODESYS components are installed separately versus bundled.
- Review exposed OT/ICS management paths and minimize unnecessary access while updates are being applied.
- Monitor CODESYS and Festo security advisories for follow-up guidance and version-specific remediation notes.
Evidence notes
Primary evidence comes from CISA’s CSAF advisory ICSA-26-076-01 and its referenced Festo materials. The advisory text states that affected CODESYS V3 products may use non-TLS-based encryption, resulting in credentials being insufficiently protected during transport, and that all listed variants containing CmpUserMgr are affected regardless of CPU type or operating system. The source metadata also ties the issue to Festo Automation Suite packaging and remediation guidance. The prompt’s vendor field is inconsistent with the advisory content, so this debrief follows the advisory text rather than the untrusted vendor guess.
Official resources
-
CVE-2019-9013 CVE record
CVE.org
-
CVE-2019-9013 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA’s CSAF advisory ICSA-26-076-01 was initially published on 2026-02-26 and republished on 2026-03-17. The source advisory links the issue to Festo advisory FSA-202601 and describes the affected CODESYS V3 product families and remediation