PatchSiren cyber security CVE debrief
CVE-2020-14513 Unknown Vendor CVE debrief
This is a high-severity availability issue affecting CodeMeter and software that uses it. According to the advisory, a specially crafted license file can cause a crash because length fields are not verified. The CISA-republished CSAF advisory ties the issue to Festo Automation Suite and CODESYS components, with version guidance pointing to Festo Automation Suite 2.8.0.138 and later plus separately installed, patched CODESYS components.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS administrators, Festo Automation Suite users, CODESYS/CodeMeter operators, and any team managing engineering workstations or production systems that process CodeMeter license files.
Technical summary
CVE-2020-14513 describes a crash condition in CodeMeter (all versions prior to 6.81) when processing a specifically crafted license file. The stated cause is unverified length fields during parsing. The advisory material identifies impacted Festo Automation Suite/CODESYS combinations and notes that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be downloaded and installed separately.
Defensive priority
High. The CVSS vector is network-capable, requires no privileges or user interaction, and impacts availability. In industrial or engineering environments, even a crash-only issue can disrupt operations, so patching and component inventory should be prioritized.
Recommended defensive actions
- Update CodeMeter to version 6.81 or later, following the vendor's remediation guidance.
- Upgrade Festo Automation Suite to version 2.8.0.138 or later.
- Install the latest patched CODESYS release directly from the official CODESYS website.
- Follow vendor installation and update instructions to ensure all security fixes are applied.
- Monitor Festo and CODESYS security advisories and apply updates promptly.
- Keep the Festo Automation Suite connector updated with released FAS updates.
- Identify systems running Festo Automation Suite versions older than 2.8.0.138 and any CodeMeter deployments earlier than 6.81.
Evidence notes
The source advisory states: 'CodeMeter (All versions prior to 6.81) and the software using it may crash while processing a specifically crafted license file due to unverified length fields.' The advisory metadata and references place the issue in the Festo Automation Suite/CODESYS ecosystem, and remediation says Festo Automation Suite 2.8.0.138 no longer bundles CODESYS. CISA's revision history shows the advisory was initially published on 2026-02-26 and republished on 2026-03-17 as an initial CISA republication of Festo advisory FSA-202601.
Official resources
-
CVE-2020-14513 CVE record
CVE.org
-
CVE-2020-14513 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA CSAF advisory ICSA-26-076-01 was published on 2026-02-26 and republished on 2026-03-17, with the latter revision marked as the initial CISA republication of Festo SE & Co. KG advisory FSA-202601. The source metadata does not indicate a