PatchSiren cyber security CVE debrief
CVE-2021-36763 Festo CVE debrief
CVE-2021-36763 describes an information-disclosure issue in the CODESYS V3 web server: files or directories are accessible to external parties when running versions before 3.5.17.10. In the CISA-republished Festo advisory context, the issue is tied to Festo Automation Suite deployments that include CODESYS components, making patch level and installation model important for exposure reduction.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT and automation teams using Festo Automation Suite, administrators of systems that include CODESYS V3 components, and patch-management staff responsible for industrial engineering workstations or related web server exposure.
Technical summary
The advisory states that in CODESYS V3 web server versions before 3.5.17.10, files or directories can be accessed by external parties. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which matches a network-reachable confidentiality issue. The referenced CWE is CWE-552 (Files or Directories Accessible to External Parties). The remediation guidance in the advisory also notes that Festo Automation Suite 2.8.0.138 no longer bundles CODESYS, requiring separate, patched installation from the official CODESYS source.
Defensive priority
High for environments where the CODESYS web server is reachable beyond trusted administrative networks, because the issue can expose files or directories without requiring privileges or user interaction. Priority is especially elevated where engineering files, configuration data, or other sensitive assets could be present.
Recommended defensive actions
- Update CODESYS to version 3.5.17.10 or later using the official CODESYS download and installation guidance.
- Update Festo Automation Suite to version 2.8.0.138 or later and install the FAS connector updates released by Festo.
- Verify whether CODESYS is bundled with, or separately installed alongside, the affected Festo Automation Suite deployment.
- Restrict network access to the CODESYS web server to trusted administrative paths only and review any unnecessary exposure.
- Review affected hosts for sensitive files or directories that may have been exposed and rotate credentials or secrets if they were accessible.
- Monitor and follow official CODESYS, Festo PSIRT, and CISA advisory updates for any further remediation notes.
Evidence notes
The supplied CISA CSAF advisory (ICSA-26-076-01) republished the Festo advisory and explicitly states: 'In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External Parties.' The remediation section says that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be downloaded and installed separately by the customer, with updates applied from the official CODESYS website. The vendor mapping in the supplied enrichment is low-confidence and should be reviewed because the advisory content ties the issue to Festo Automation Suite and CODESYS rather than a standalone FESTO product label.
Official resources
-
CVE-2021-36763 CVE record
CVE.org
-
CVE-2021-36763 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2021-36763 was published in the provided source timeline on 2026-02-26 and republished/modified in the CISA CSAF advisory on 2026-03-17. The source revision history shows an initial version followed by a CISA republication of the Festo/