PatchSiren cyber security CVE debrief
CVE-2020-12068 Festo CVE debrief
CVE-2020-12068 is a privilege-escalation issue in CODESYS Development System before 3.5.16.0. The source advisory states that CODESYS WebVisu and CODESYS Remote TargetVisu are susceptible. In the CISA CSAF republication of Festo advisory FSA-202601, the exposure is also tied to Festo Automation Suite installations that bundled CODESYS before version 2.8.0.138.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
Operators and administrators running Festo Automation Suite or standalone CODESYS Development System deployments, especially OT/ICS teams using WebVisu or Remote TargetVisu. This is most relevant where older bundled installations or network-reachable engineering environments are present.
Technical summary
The supplied CVSS 3.1 vector indicates a network-reachable, low-complexity issue that requires no prior privileges and no user interaction, with limited confidentiality and integrity impact. The advisory text does not describe exploit mechanics, but it does identify privilege escalation in WebVisu and Remote TargetVisu on CODESYS Development System versions before 3.5.16.0. Festo’s remediation guidance says that from Festo Automation Suite 2.8.0.138 onward, CODESYS is no longer bundled and customers should install the latest patched CODESYS directly from official sources, while keeping the FAS connector updated.
Defensive priority
Medium; prioritize sooner in exposed OT environments or any site running affected CODESYS/Festo combinations.
Recommended defensive actions
- Confirm whether any systems run CODESYS Development System before 3.5.16.0.
- Check Festo Automation Suite deployments for versions before 2.8.0.138 that bundled CODESYS.
- Upgrade to a patched CODESYS release from the official CODESYS website.
- Apply the Festo Automation Suite connector updates as released by Festo.
- Review exposure of WebVisu and Remote TargetVisu components on reachable systems.
- Monitor vendor advisories and maintenance notices for follow-on fixes.
Evidence notes
All claims are drawn from the supplied CISA CSAF source item and its referenced official links. The source text explicitly names CODESYS Development System before 3.5.16.0, WebVisu, and Remote TargetVisu, and the remediation section states that Festo Automation Suite 2.8.0.138 stops bundling CODESYS. The source revision history shows an initial publication on 2026-02-26 and a CISA republication on 2026-03-17; these are advisory dates, not vulnerability creation dates. The vendor mapping in the prompt is low-confidence, so the debrief avoids asserting a vendor beyond what the source text supports.
Official resources
-
CVE-2020-12068 CVE record
CVE.org
-
CVE-2020-12068 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The supplied source corpus shows an initial advisory publication on 2026-02-26 and a CISA republication on 2026-03-17 for ICSA-26-076-01 / FSA-202601. No KEV listing is present in the supplied data.