PatchSiren cyber security CVE debrief
CVE-2021-36764 Festo CVE debrief
CVE-2021-36764 is a network-triggerable denial-of-service issue in CODESYS Gateway V3 before 3.5.17.10. According to the advisory, crafted communication requests can trigger a NULL pointer dereference in affected CODESYS products. The source advisory is titled for CODESYS in Festo Automation Suite, and its remediation notes say Festo Automation Suite 2.8.0.138 no longer bundles CODESYS, with customers directed to install patched CODESYS components separately from the official vendor source.
- Vendor
- Festo
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT/ICS administrators, Festo Automation Suite operators, and teams responsible for CODESYS Gateway V3 or bundled CODESYS Development System installations. This is most important where service availability matters and where systems may still be running the affected pre-3.5.17.10 CODESYS Gateway V3 component or older Festo Automation Suite bundles.
Technical summary
The advisory describes a NULL pointer dereference in CODESYS Gateway V3 before 3.5.17.10. A crafted communication request can crash the affected component and cause denial of service. The source metadata ties the issue to Festo Automation Suite deployments that include CODESYS components, including older bundle combinations listed in the advisory. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, so the primary impact is availability.
Defensive priority
High. Prioritize patching and version verification in any environment exposing the affected CODESYS gateway or dependent Festo Automation Suite installations, especially if downtime would affect production or safety-related operations.
Recommended defensive actions
- Update CODESYS Gateway V3 to 3.5.17.10 or later.
- Update Festo Automation Suite to 2.8.0.138 or later and verify which CODESYS components are installed separately.
- Inventory systems for the affected Festo Automation Suite and CODESYS version combinations named in the advisory.
- Limit network exposure to CODESYS gateway services and apply CISA ICS recommended practices for segmentation and defense in depth.
- Monitor for service crashes, unexpected restarts, or availability interruptions, and validate updates in a controlled maintenance window.
- Review vendor advisories from Festo and CODESYS and apply security updates promptly.
Evidence notes
This debrief follows the supplied CISA CSAF advisory content and the advisory title "CODESYS in Festo Automation Suite." The description explicitly states that CODESYS Gateway V3 before 3.5.17.10 can suffer a NULL pointer dereference from crafted communication requests, resulting in denial of service. The revision history shows an initial CISA publication on 2026-02-26 and a CISA republication on 2026-03-17 of the vendor advisory.
Official resources
-
CVE-2021-36764 CVE record
CVE.org
-
CVE-2021-36764 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-02-26, with a CISA republication on 2026-03-17 that references the vendor advisory. The issue is an availability-only denial-of-service condition in the affected CODESYS component.