PatchSiren cyber security CVE debrief
CVE-2019-19789 Unknown Vendor CVE debrief
CVE-2019-19789 is a medium-severity availability issue affecting specific CODESYS components used in Festo-related deployments. The advisory text describes a NULL pointer dereference in 3S-Smart CODESYS SP Realtime NT, CODESYS Runtime Toolkit 32 bit full, and CODESYS PLCWinNT before the fixed versions. In the CISA CSAF advisory republished from Festo, the vendor notes that Festo Automation Suite 2.8.0.138 is the point where CODESYS is no longer bundled, and that customers should install patched CODESYS releases directly from the official CODESYS channel.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS teams running Festo Automation Suite, administrators responsible for bundled CODESYS components, automation engineers, and security teams managing engineering workstations or runtime systems that use CODESYS SP Realtime NT, Runtime Toolkit, or PLCWinNT.
Technical summary
The supplied advisory says the vulnerable code path can dereference a NULL pointer in affected CODESYS components prior to 3S-Smart CODESYS SP Realtime NT V2.3.7.28, CODESYS Runtime Toolkit 32 bit full V2.4.7.54, and CODESYS PLCWinNT V2.4.7.54. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which indicates a network-reachable issue requiring low privileges, no user interaction, and a high availability impact with no stated confidentiality or integrity impact. The Festo advisory context also states that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be installed and maintained separately.
Defensive priority
Medium priority. Treat it as an availability-focused OT issue and prioritize remediation where exposed or actively used CODESYS components remain below the fixed versions.
Recommended defensive actions
- Inventory Festo Automation Suite deployments and confirm whether any installation is older than 2.8.0.138.
- Check installed CODESYS component versions and verify they are at or above the fixed releases named in the advisory.
- Install the latest patched CODESYS version directly from the official CODESYS website, following vendor update instructions.
- Update the Festo Automation Suite connector and keep Festo security advisories under routine review.
- Plan and test updates during maintenance windows to minimize operational disruption in OT environments.
Evidence notes
This debrief is based on the supplied CISA CSAF source item ICSA-26-076-01, which republishes Festo advisory FSA-202601 for 'CODESYS in Festo Automation Suite.' The source description explicitly names the affected CODESYS components and the fixed version thresholds. The remediation text states that Festo Automation Suite 2.8.0.138 no longer bundles CODESYS and directs customers to install patched CODESYS separately. The supplied CVSS vector supports a denial-of-service / availability-only interpretation.
Official resources
-
CVE-2019-19789 CVE record
CVE.org
-
CVE-2019-19789 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Use the supplied advisory dates for timing context: initial publication on 2026-02-26 and CISA republication / advisory update on 2026-03-17. Do not treat the debrief generation time as the CVE issue date.