PatchSiren cyber security CVE debrief
CVE-2022-4046 Schneider Electric CVE debrief
CVE-2022-4046 is a high-severity issue in CODESYS Control affecting multiple versions and described as an improper restriction of operations within memory buffer bounds. In the CISA-republished advisory for Festo Automation Suite, the issue is framed as allowing a remote attacker with user privileges to gain full access to the device. The supplied advisory dates show initial public disclosure on 2026-02-26 and a revision on 2026-03-17.
- Vendor
- Schneider Electric
- Product
- HMISCU Controller
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-07-11
- Original CVE updated
- 2026-01-20
- Advisory published
- 2023-07-11
- Advisory updated
- 2026-01-20
Who should care
OT/ICS operators, asset owners, and patch managers using Festo Automation Suite or separately installed CODESYS components, especially where engineering workstations or control interfaces may be reachable by authenticated users.
Technical summary
The advisory describes a memory-buffer bounds restriction failure in CODESYS Control that can be abused by a remote attacker with low privileges. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network exposure, no user interaction, and high impact to confidentiality, integrity, and availability. CISA’s CSAF entry for ICSA-26-076-01 ties the issue to Festo Automation Suite deployments that include CODESYS Development System components. The advisory lists affected combinations including Festo Automation Suite versions below 2.8.0.138 with bundled CODESYS Development System 3.0 or 3.5.16.10, and notes that starting with FAS 2.8.0.138, CODESYS is no longer bundled.
Defensive priority
High priority for any exposed or widely used OT deployment; treat as urgent if authenticated users can reach the affected engineering or control interfaces.
Recommended defensive actions
- Update Festo Automation Suite to version 2.8.0.138 or later.
- Install the latest patched CODESYS release directly from the official CODESYS website.
- Verify any separately installed CODESYS Development System components are on vendor-patched versions.
- Keep the Festo Automation Suite connector updated by applying Festo releases as they are published.
- Monitor CODESYS and Festo PSIRT advisories and apply fixes promptly.
- Reduce exposure by limiting network access to engineering and control interfaces and following CISA ICS defensive guidance.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-076-01, which republishes Festo’s advisory FSA-202601. The source describes an improper restriction of operations within memory buffer bounds in CODESYS Control and ties it to Festo Automation Suite/CODESYS version combinations. The supplied record also includes the CVSS v3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, consistent with remote exploitation by a low-privileged user and high device impact. The vendor/product mapping in the prompt should be reviewed: the source title is ‘CODESYS in Festo Automation Suite,’ so the safest attribution is to Festo Automation Suite deployments involving CODESYS components rather than a generic FESTO product label.
Official resources
-
CVE-2022-4046 CVE record
CVE.org
-
CVE-2022-4046 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA first published the advisory on 2026-02-26 and republished it on 2026-03-17. Use those dates as the advisory publication and modification timestamps for this record.