PatchSiren cyber security CVE debrief
CVE-2021-29242 Festo CVE debrief
CVE-2021-29242 is a high-severity industrial control systems issue tied to CODESYS Control Runtime before 3.5.17.0. According to the CISA advisory and source description, an attacker able to send crafted communication packets could change the router’s addressing scheme and potentially reroute, add, remove, or modify low-level communication packages. The advisory is published in the context of Festo Automation Suite and notes that Festo Automation Suite 2.8.0.138 no longer bundles CODESYS, while earlier affected builds did.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
Organizations using Festo Automation Suite, especially deployments that include CODESYS Control Runtime versions earlier than 3.5.17.0. OT operators, system integrators, and asset owners responsible for industrial automation engineering workstations or runtime environments should review exposure and update paths.
Technical summary
The flaw is an improper input validation problem in CODESYS Control Runtime before 3.5.17.0. CISA’s advisory states that crafted communication packets can alter router addressing behavior and may re-route, add, remove, or change low-level communication packages. The source material associates affected Festo Automation Suite releases with bundled CODESYS components, including installations below 2.8.0.138 with CODESYS Development System 3.0 or 3.5.16.10.
Defensive priority
High. The issue is network-reachable in the CVSS vector, requires no privileges or user interaction, and affects industrial automation software where routing or communication-path manipulation can disrupt operations. Prioritize inventory, version verification, and upgrade planning for any exposed or operationally critical deployments.
Recommended defensive actions
- Inventory all Festo Automation Suite installations and identify whether CODESYS is bundled or separately installed.
- Upgrade to Festo Automation Suite 2.8.0.138 or later where applicable.
- Update CODESYS Control Runtime to a patched version at or above 3.5.17.0 using the official CODESYS update path.
- Follow the vendor installation and update instructions to ensure the correct security fixes are applied.
- Monitor Festo and CODESYS security advisories and apply updates promptly.
- Use ICS network segmentation and other defense-in-depth controls to reduce the impact of unauthorized traffic reaching industrial automation systems.
Evidence notes
The CVE description in the source corpus states that CODESYS Control Runtime system before 3.5.17.0 has improper input validation and that crafted packets may alter routing and low-level communications. The CISA CSAF source item is the primary evidence base and was republished on 2026-03-17 as a CISA republication of Festo SE & Co. KG advisory FSA-202601. The vendor metadata in the prompt is low-confidence and marked for review, so product attribution should be treated carefully and anchored to the advisory text rather than the label alone.
Official resources
-
CVE-2021-29242 CVE record
CVE.org
-
CVE-2021-29242 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA’s source item shows an initial publication date of 2026-02-26 and a republication/revision on 2026-03-17. Use those dates as the advisory timeline for this record; they are the only supplied timing anchors.