PatchSiren cyber security CVE debrief
CVE-2021-29241 Festo CVE debrief
CVE-2021-29241 is a high-severity availability issue affecting CODESYS Gateway 3 before version 3.5.16.70. In the advisory republished by CISA for Festo Automation Suite environments, the flaw is described as a NULL pointer dereference that may result in denial of service. The issue matters most for industrial and OT deployments where interruption of engineering or gateway services can disrupt operations. The advisory was first published on 2026-02-26 and republished by CISA on 2026-03-17 with the original Festo advisory content.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT/ICS administrators, Festo Automation Suite users, and teams responsible for CODESYS installations or updates should care most. Environments that rely on gateway availability, engineering connectivity, or tightly managed production systems should prioritize review.
Technical summary
The source advisory states that CODESYS Gateway 3 before 3.5.16.70 contains a NULL pointer dereference. The CVSS vector provided is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which aligns with a network-reachable, low-complexity denial-of-service condition without privileges or user interaction. The Festo advisory also notes that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be downloaded and installed separately; remediation therefore depends on keeping any separately installed CODESYS components patched and ensuring the Festo Automation Suite connector is current.
Defensive priority
High
Recommended defensive actions
- Update any affected CODESYS Gateway 3 installation to version 3.5.16.70 or later.
- If CODESYS is installed separately from Festo Automation Suite, obtain and install the latest patched version directly from the official CODESYS source.
- Keep the Festo Automation Suite connector up to date by applying Festo-released updates.
- Monitor vendor security advisories for both Festo and CODESYS and apply fixes promptly.
- Inventory affected systems to confirm whether older bundled or separately installed CODESYS components are present.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-076-01 and its referenced Festo advisory materials. The source explicitly states that CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may cause denial of service. The advisory metadata also indicates that CISA republished the Festo SE & Co. KG advisory content on 2026-03-17. Note: the provided vendor metadata is inconsistent and marked low-confidence; the source advisory title is 'CODESYS in Festo Automation Suite,' so the product scope should be treated as Festo Automation Suite environments containing CODESYS components rather than FESTO as a standalone product.
Official resources
-
CVE-2021-29241 CVE record
CVE.org
-
CVE-2021-29241 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2021-29241 was published in the source advisory on 2026-02-26 and republished by CISA on 2026-03-17 as ICSA-26-076-01. The disclosed issue is a NULL pointer dereference in CODESYS Gateway 3 before 3.5.16.70 leading to denial of service.