PatchSiren cyber security CVE debrief
CVE-2018-20025 Kaspersky Lab CVE debrief
CVE-2018-20025 is a high-severity weakness in CODESYS V3 products prior to version 3.5.14.0 involving insufficiently random values. In the CISA-republished Festo advisory, the issue is associated with CODESYS components used in Festo Automation Suite deployments. The published CVSS vector indicates a network-reachable issue with no privileges or user interaction required and high confidentiality impact.
- Vendor
- Kaspersky Lab
- Product
- FESTO
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-11-13
Who should care
Security, engineering, and operations teams running CODESYS V3 products older than 3.5.14.0, especially installations that include CODESYS Development System components in Festo Automation Suite. OT/ICS defenders managing exposed engineering workstations or update pipelines should prioritize review.
Technical summary
The advisory describes a use of insufficiently random values condition in CODESYS V3 products before 3.5.14.0. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which reflects network attackability, no required privileges, no user interaction, and high confidentiality impact. The source material also maps the issue to CWE-330 and notes affected Festo Automation Suite versions that bundled CODESYS components.
Defensive priority
High priority for any environment using affected CODESYS V3 releases, especially OT/ICS systems and Festo Automation Suite installations. Because the issue is network-reachable and requires no user interaction or privileges, patch and exposure review should be expedited.
Recommended defensive actions
- Update CODESYS to the latest patched version from the official CODESYS website.
- Upgrade Festo Automation Suite to version 2.8.0.138 or later, where CODESYS is no longer bundled.
- For installations with earlier Festo Automation Suite versions, review the installed CODESYS component version and apply vendor update guidance promptly.
- Monitor CODESYS security advisories and apply security updates as soon as they are released.
- Follow CISA ICS recommended practices and defense-in-depth guidance for industrial control systems.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-076-01 and its included Festo reference material. The advisory title is 'CODESYS in Festo Automation Suite,' and the description explicitly states: 'Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0.' The remediation text in the source calls for downloading the latest patched CODESYS version directly from the official CODESYS website and maintaining Festo Automation Suite updates, including version 2.8.0.138 or later. Timeline context in the supplied corpus shows initial publication on 2026-02-26 and republication on 2026-03-17.
Official resources
-
CVE-2018-20025 CVE record
CVE.org
-
CVE-2018-20025 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2018-20025 was published in the supplied CISA CSAF advisory on 2026-02-26 and republished on 2026-03-17 as the initial CISA republication of the Festo SE & Co. KG advisory FSA-202601.