CVE-2020-14517 Unknown Vendor CVE debrief

Who should care

OT and ICS administrators, Festo Automation Suite users, CODESYS/CodeMeter operators, industrial engineering teams, and network defenders responsible for systems that may expose CodeMeter Runtime to external connections.

Technical summary

The source advisory states that CodeMeter protocol encryption can be easily broken, allowing an attacker to remotely communicate with the CodeMeter API. The impacted scope includes all CodeMeter versions before 6.90, and 6.90+ when Runtime runs as a server and accepts external connections. The CISA source maps the issue to Festo Automation Suite installations associated with bundled CODESYS development system components, including versions below 2.8.0.138.

Defensive priority

Critical. Treat as urgent for any environment where CodeMeter Runtime is reachable from untrusted networks or where Festo Automation Suite/CODESYS components are deployed on engineering or OT assets.

Recommended defensive actions

• Upgrade Festo Automation Suite to version 2.8.0.138 or later.
• Install the latest patched CodeMeter/CODESYS releases directly from the official CODESYS website.
• Verify that CodeMeter Runtime is not exposed as a server to external networks unless there is a documented business need.
• Restrict and segment network access to engineering and OT systems that use CodeMeter.
• Monitor official Festo and CODESYS security advisories and apply updates promptly.
• Keep the Festo Automation Suite connector up to date using vendor-released updates.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-076-01, which republishes Festo SE & Co. KG advisory FSA-202601, plus the linked official Festo, CERTVDE, CISA, CVE.org, and NVD references. The supplied record’s vendor mapping is low-confidence/needs-review, so the product attribution should be treated cautiously and anchored to the source advisory text.

Official resources