PatchSiren cyber security CVE debrief
CVE-2020-10245 Festo CVE debrief
CVE-2020-10245 is a critical buffer overflow in the CODESYS V3 web server before 3.5.15.40. The official CISA advisory ties the issue to Festo Automation Suite environments that include CODESYS components, and recommends upgrading to patched CODESYS releases and keeping Festo’s connector/software current. Because the flaw is network-reachable and rated CVSS 9.8, exposed OT/ICS installations should treat it as urgent.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT/ICS defenders, Festo Automation Suite administrators, teams operating CODESYS Control runtime systems, and anyone responsible for engineering workstations or automation assets that bundle CODESYS components.
Technical summary
According to the supplied CISA CSAF advisory, CVE-2020-10245 affects the CODESYS V3 web server before version 3.5.15.40 and can lead to a buffer overflow. The advisory’s product mapping shows exposure in Festo Automation Suite deployments that include CODESYS Development System components. The provided CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates a remotely reachable issue with no privileges or user interaction required and high potential impact.
Defensive priority
Immediate
Recommended defensive actions
- Update to a patched CODESYS version at or above 3.5.15.40, using the official CODESYS installation and update instructions.
- If using Festo Automation Suite, install the latest Festo Automation Suite updates and connector releases as published by Festo.
- Verify whether any affected systems still bundle older CODESYS components and remove or replace them where the vendor has changed packaging.
- Monitor CODESYS and vendor advisories regularly and apply security updates promptly.
- Prioritize exposure review for internet-reachable or high-value OT/ICS engineering systems and isolate them where feasible.
Evidence notes
The supplied source corpus is a CISA CSAF advisory published at 2026-02-26T08:00:00Z and revised at 2026-03-17T06:00:00Z, with the latter revision describing republication of the Festo advisory. The advisory text explicitly states: "CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control runtime systems, has a buffer overflow." The provided CVSS vector is 9.8/critical. The vendor/product mapping in the corpus centers on Festo Automation Suite deployments that include CODESYS components; however, the vulnerability description itself is about the CODESYS V3 web server, so Festo attribution should be treated as advisory-context mapping rather than the underlying software origin.
Official resources
-
CVE-2020-10245 CVE record
CVE.org
-
CVE-2020-10245 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory context only. Use the supplied CVE published date of 2026-02-26 and modified date of 2026-03-17 for timing context; do not infer an earlier or later issue date from patch-generation activity.