PatchSiren cyber security CVE debrief
CVE-2021-33485 Festo CVE debrief
CVE-2021-33485 is a critical memory-corruption issue in CODESYS Control Runtime before 3.5.17.10. The supplied CISA CSAF advisory (ICSA-26-076-01) republishes vendor guidance for Festo Automation Suite environments that include affected CODESYS components. Because the CVSS vector is 9.8 with network access, no privileges, and no user interaction required, this should be treated as an urgent patching issue for industrial environments that rely on CODESYS-based runtime components.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT/ICS operators using Festo Automation Suite, engineers managing CODESYS-based automation deployments, and security teams responsible for industrial endpoints or engineering workstations that run bundled CODESYS components.
Technical summary
The core flaw is a heap-based buffer overflow in CODESYS Control Runtime versions before 3.5.17.10. The CISA advisory lists Festo Automation Suite/CODESYS combinations among the affected product context, including Festo Automation Suite releases below 2.8.0.138 with specific bundled CODESYS Development System versions. The source corpus also notes that, starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled with the suite and must be installed separately. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8).
Defensive priority
Immediate
Recommended defensive actions
- Upgrade CODESYS Control Runtime to version 3.5.17.10 or later, using the latest patched CODESYS release from the official CODESYS website.
- Update Festo Automation Suite to the latest supported release and verify whether CODESYS is bundled or installed separately in your deployment.
- Inventory Festo Automation Suite installations and identify systems using affected CODESYS builds referenced in the advisory corpus, especially combinations below 2.8.0.138.
- Apply vendor-recommended installation and update instructions, then validate that the patched runtime is present after maintenance.
- Monitor CODESYS and Festo security advisories and apply future updates promptly.
- Use industrial control system defense-in-depth practices, including network segmentation and exposure minimization, to reduce the blast radius of vulnerable engineering or runtime systems.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory ICSA-26-076-01 (source item URL: raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2026/icsa-26-076-01.json), published 2026-02-26 and republished 2026-03-17. The advisory metadata identifies the issue as CVE-2021-33485 and states: 'CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow.' The corpus references the CISA advisory page, the vendor PSIRT page, the CertVDE vendor page, the vendor advisory FSA-202601, the CVE record, the CWE-787 reference, and the CVSS calculator. Vendor attribution in the user-supplied corpus is inconsistent, so product naming should be treated as advisory-context dependent rather than a single definitive vendor product label.
Official resources
-
CVE-2021-33485 CVE record
CVE.org
-
CVE-2021-33485 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through CISA CSAF advisory ICSA-26-076-01 on 2026-02-26; CISA republished the advisory on 2026-03-17 with vendor advisory context from FSA-202601.