PatchSiren cyber security CVE debrief
CVE-2020-12067 Festo CVE debrief
CVE-2020-12067 is a high-severity password-management flaw in a CODESYS-based industrial engineering environment. The supplied advisory corpus describes an attacker changing a user’s password without knowing the current password, which can undermine account integrity and access control. The advisory was published on 2026-02-26 and revised on 2026-03-17. Because the supplied source metadata contains inconsistent product labeling, the safest interpretation is to treat this as a CODESYS-related issue affecting the listed Festo Automation Suite / bundled CODESYS versions until vendor guidance is confirmed.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
Industrial automation teams, OT/ICS administrators, and support staff running Festo Automation Suite or other affected CODESYS-based engineering tools should care. Any environment that relies on these tools for access-controlled configuration or engineering workstations should prioritize review and patching.
Technical summary
The advisory states that in a CODESYS-based component, a user’s password may be changed by an attacker without knowledge of the current password. The provided CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) indicates network-reachable impact with no privileges or user interaction required and a primary integrity impact. The supplied remediation guidance ties the issue to Festo Automation Suite versions before 2.8.0.138 and recommends installing the latest patched CODESYS release separately, because CODESYS is no longer bundled starting with Festo Automation Suite 2.8.0.138.
Defensive priority
High. The issue is remotely reachable, requires no authentication or user interaction according to the supplied CVSS vector, and can directly affect account integrity. Prioritize patching in any exposed engineering or maintenance environment.
Recommended defensive actions
- Update Festo Automation Suite to version 2.8.0.138 or later.
- Install the latest patched CODESYS release directly from the official CODESYS website.
- Follow the vendor installation and update instructions to ensure all security fixes are applied.
- Keep the Festo Automation Suite connector up to date by applying Festo updates as they are released.
- Monitor CODESYS and Festo security advisories for follow-on fixes or compatibility notes.
Evidence notes
Primary evidence comes from the supplied CISA CSAF advisory record for ICSA-26-076-01 (published 2026-02-26; revised 2026-03-17), which lists the issue description, the affected Festo Automation Suite/CODESYS product set, the CVSS vector, and the mitigation guidance. The source corpus also includes official reference URLs for the CVE record, CISA advisory, CODESYS/Festo advisory pages, and a CWE-640 reference. The vendor/product metadata in the supplied corpus is inconsistent, so claims are limited to what is explicitly stated in the advisory record and its references.
Official resources
-
CVE-2020-12067 CVE record
CVE.org
-
CVE-2020-12067 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA’s advisory ICSA-26-076-01 for this CVE was published on 2026-02-26 and revised on 2026-03-17. The supplied record indicates the advisory was republished from a Festo security advisory and references official vendor and CODESYS guidance