CVE-2018-20026 Kaspersky Lab CVE debrief

Who should care

OT/ICS administrators, engineering-workstation owners, and teams maintaining Festo Automation Suite or other CODESYS V3 deployments, especially on systems reachable from production or engineering networks.

Technical summary

The advisory describes insufficient communication address filtering in CODESYS V3 products before 3.5.14.0. The supplied CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates a remotely reachable issue with no privileges or user interaction required and with high confidentiality impact, while integrity and availability impacts are not reflected in the vector.

Defensive priority

High. This is network-reachable, requires no privileges or user interaction, and is rated for high confidentiality impact in OT/ICS software used in engineering and automation environments.

Recommended defensive actions

• Update affected CODESYS V3 installations to a patched release at or after version 3.5.14.0 from the official CODESYS website.
• Upgrade Festo Automation Suite to version 2.8.0.138 or later and verify that any installed CODESYS components are patched.
• Follow the vendor’s installation and update instructions to confirm the fix is applied across all affected engineering systems.
• Keep monitoring Festo and CODESYS security advisories and apply updates promptly when new fixes are released.
• Keep the Festo Automation Suite connector up to date with the latest Festo release.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory item for ICSA-26-076-01 and its referenced Festo/CertVDE materials. The source advisory states the issue is “Improper Communication Address Filtering” in CODESYS V3 products prior to 3.5.14.0, and the remediation text specifically recommends updating to patched CODESYS releases and maintaining Festo Automation Suite updates. The advisory revision history shows initial publication on 2026-02-26 and a CISA republication on 2026-03-17. No KEV entry was provided in the corpus.

Official resources