CVE-2020-7052 Festo CVE debrief

Who should care

Administrators and operators running Festo Automation Suite or embedded CODESYS components in industrial environments should review this issue, especially where CODESYS Control V3, Gateway V3, or HMI V3 are exposed on reachable networks.

Technical summary

According to the advisory, CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 can allocate memory without proper control. The published CVSS vector indicates network reachability, low privileges, no user interaction, and an availability-only impact, so the main risk is service disruption rather than data compromise.

Defensive priority

Medium priority: the issue is limited to denial of service, but the network-exploitable path and ICS context make timely patching important for uptime and resilience.

Recommended defensive actions

• Update CODESYS components to a patched version at or above 3.5.15.30.
• If using Festo Automation Suite, move to version 2.8.0.138 or later and follow Festo's updated installation model for CODESYS.
• Download and install CODESYS updates only from the official CODESYS website, following the vendor's installation guidance.
• Keep the Festo Automation Suite connector current and monitor CODESYS and Festo security advisories for subsequent fixes.

Evidence notes

The supplied CISA CSAF advisory (ICSA-26-076-01) was first published on 2026-02-26 and republished on 2026-03-17, with the revision history noting republication of Festo SE & Co. KG advisory FSA-202601. The advisory metadata and notes identify the affected scope as CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30, and the remediation section states that Festo Automation Suite 2.8.0.138 no longer bundles CODESYS. No KEV listing is present in the provided corpus.

Official resources