PatchSiren cyber security CVE debrief
CVE-2020-15806 Festo CVE debrief
CVE-2020-15806 is a high-severity availability issue in the CODESYS Control runtime system before 3.5.16.10. In the CISA-republished Festo advisory, the affected context is Festo Automation Suite deployments that include CODESYS components. The source describes the flaw as uncontrolled memory allocation, with a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-exploitable denial-of-service risk focused on availability.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT/ICS teams running Festo Automation Suite, especially systems that include CODESYS Control runtime or related CODESYS components. Engineering workstations, deployment hosts, and support systems used to manage these environments should be prioritized for review and patching.
Technical summary
The advisory states that CODESYS Control runtime system versions before 3.5.16.10 allow uncontrolled memory allocation. CISA’s CSAF record ties the issue to Festo Automation Suite and notes that, starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be installed separately by the customer. The remediation guidance is to obtain the latest patched CODESYS release directly from the official CODESYS website, follow vendor installation/update instructions, and keep the Festo Automation Suite connector up to date. The record does not provide exploit details beyond the memory-allocation condition.
Defensive priority
High priority. The flaw is rated HIGH, is network-exploitable per the published CVSS vector, and can impact availability in industrial software environments. Apply vendor updates promptly and verify whether any hosts still run CODESYS Control runtime before 3.5.16.10.
Recommended defensive actions
- Update CODESYS Control runtime to version 3.5.16.10 or later using official CODESYS release channels.
- If Festo Automation Suite is deployed, upgrade to 2.8.0.138 or later and follow Festo’s connector update guidance.
- Inventory hosts to determine whether CODESYS is bundled with Festo Automation Suite or installed separately.
- Review engineering workstations and operational support systems for the affected CODESYS runtime version and remediate them first.
- Monitor official CODESYS, Festo, and CISA advisories for follow-on updates and apply patches promptly.
- Apply standard ICS hardening practices such as network segmentation, change control, and regular backups for recovery planning.
Evidence notes
The source corpus includes CISA advisory ICSA-26-076-01, which republishes the Festo advisory FSA-202601. It explicitly states: "CODESYS Control runtime system before 3.5.16.10 allows Uncontrolled Memory Allocation." The remediation section states that from Festo Automation Suite version 2.8.0.138 onward, CODESYS is no longer bundled and must be downloaded and installed separately, and it instructs customers to install the latest patched CODESYS version from the official website and keep the Festo Automation Suite connector updated. The advisory metadata also provides CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and HIGH severity.
Official resources
-
CVE-2020-15806 CVE record
CVE.org
-
CVE-2020-15806 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the CSAF advisory on 2026-02-26 and republished it on 2026-03-17 as a CISA republication of the Festo SE & Co. KG advisory. Those dates are used here for advisory timing context only; they are not treated as the original flaw