PatchSiren cyber security CVE debrief
CVE-2022-31806 Festo CVE debrief
CVE-2022-31806 is a critical ICS weakness in CODESYS V2 PLCWinNT and Runtime Toolkit 32 versions prior to V2.4.7.57. The advisory states that password protection is not enabled by default and that there is no information or prompt at login to enable password protection when no password is set at the controller. CISA published the advisory on 2026-02-26 and republished it on 2026-03-17 as an initial republication of a Festo advisory. The practical concern is straightforward: affected controllers may be left without password protection unless administrators explicitly configure and maintain it.
- Vendor
- Festo
- Product
- -Q-
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-11-25
- Original CVE updated
- 2025-11-25
- Advisory published
- 2025-11-25
- Advisory updated
- 2025-11-25
Who should care
OT/ICS administrators, control engineers, and system integrators using CODESYS V2 PLCWinNT or Runtime Toolkit 32, especially where these components are bundled with or deployed through Festo Automation Suite and controllers may have no password set.
Technical summary
The issue is a security-by-default failure. In the affected CODESYS V2 components, password protection is not enabled automatically, and the login flow does not prompt the operator to enable it if the controller has no password. The advisory maps impacted installations to Festo Automation Suite deployments that include older CODESYS components and recommends moving to patched CODESYS releases and keeping the Festo connector current.
Defensive priority
Immediate for exposed or operational OT environments. Because the advisory rates the issue critical and it can leave controllers without password protection, organizations should verify access settings now and patch or replace affected CODESYS versions on the shortest possible maintenance path.
Recommended defensive actions
- Inventory all installations of CODESYS V2 PLCWinNT and Runtime Toolkit 32, including systems delivered through Festo Automation Suite.
- Verify whether controller password protection is enabled on each affected system and remediate any controller left without a password.
- Install the latest patched CODESYS version from the official CODESYS website and follow vendor update guidance.
- Update Festo Automation Suite components and connectors to the latest Festo release.
- Monitor CODESYS and Festo security advisories and apply updates promptly.
- Restrict network exposure to engineering workstations and controller interfaces until remediation is complete.
Evidence notes
The supplied CSAF record describes the vulnerability as affecting CODESYS V2 PLCWinNT and Runtime Toolkit 32 prior to V2.4.7.57, where password protection is not enabled by default and no login prompt exists to enable it when no controller password is set. The source item is a CISA republication of Festo advisory FSA-202601. The prompt’s vendor metadata is low-confidence and inconsistent, so the debrief focuses on the affected CODESYS components and the Festo Automation Suite context reflected in the advisory.
Official resources
-
CVE-2022-31806 CVE record
CVE.org
-
CVE-2022-31806 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and republished it on 2026-03-17. The supplied record does not include a separate vulnerability discovery date, so those publication dates should not be treated as the original issue date.