PatchSiren cyber security CVE debrief
CVE-2019-13542 GmbH CVE debrief
This vulnerability can let an attacker who can act as a trusted OPC UA client send crafted requests that trigger a NULL pointer dereference in CODESYS V3 OPC UA Server, resulting in a denial-of-service condition. The source advisory ties the issue to CODESYS use within Festo Automation Suite, and notes that Festo Automation Suite 2.8.0.138 no longer bundles CODESYS.
- Vendor
- GmbH
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
OT and industrial control system operators using CODESYS V3 OPC UA Server versions 3.5.11.0 through 3.5.15.0, especially where the component is deployed through Festo Automation Suite or where trusted OPC UA client access is allowed.
Technical summary
CISA’s CSAF advisory states that CODESYS V3 OPC UA Server, all versions 3.5.11.0 to 3.5.15.0, allows crafted requests from a trusted OPC UA client to cause a NULL pointer dereference. The described impact is denial of service, and the provided CVSS vector reflects network reachability with low attack complexity, low privileges, no user interaction, and high availability impact. The source advisory also states that from Festo Automation Suite 2.8.0.138 onward, CODESYS is no longer bundled and must be obtained separately.
Defensive priority
Medium. The issue is availability-impacting rather than a confirmed code-execution flaw, but it affects industrial software and can be triggered over networked OPC UA paths by an attacker with trusted-client access.
Recommended defensive actions
- Verify whether your environment uses CODESYS V3 OPC UA Server versions 3.5.11.0 through 3.5.15.0 or Festo Automation Suite releases that bundle CODESYS.
- Apply the latest patched CODESYS release from the official CODESYS website as directed in the advisory.
- If using Festo Automation Suite, install the latest FAS updates and confirm whether your deployed version still bundles CODESYS.
- Review OPC UA trust relationships and restrict trusted-client access to only necessary systems.
- Monitor vendor and CISA advisories for follow-on guidance and validation of affected product combinations.
Evidence notes
Based on the supplied CISA CSAF source item (ICSA-26-076-01) republished on 2026-02-26 and updated on 2026-03-17. The advisory explicitly names CODESYS V3 OPC UA Server versions 3.5.11.0 through 3.5.15.0 and describes a NULL pointer dereference leading to denial of service. The same source notes that Festo Automation Suite 2.8.0.138 stops bundling CODESYS and that customers should install patched CODESYS releases from the official vendor site.
Official resources
-
CVE-2019-13542 CVE record
CVE.org
-
CVE-2019-13542 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA’s supplied CSAF advisory for CVE-2019-13542 was initially published on 2026-02-26 and republished/updated on 2026-03-17. The advisory is a CISA republication of a Festo advisory and should be read as advisory timing, not the original a