PatchSiren cyber security CVE debrief
CVE-2020-14519 Unknown Vendor CVE debrief
CVE-2020-14519 is a high-severity integrity issue affecting CodeMeter-related components used with Festo Automation Suite and CODESYS. According to CISA’s CSAF advisory, crafted JavaScript can abuse the internal WebSockets API, and the impact may include alteration or creation of license files when combined with CVE-2020-14515. The advisory was published on 2026-02-26 and updated on 2026-03-17.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
Organizations using Festo Automation Suite, especially installations that include affected CODESYS/CodeMeter components or expose browser-accessed web server workflows. OT and industrial automation teams should prioritize review if the WebSockets API remains enabled or if the environment depends on license-file integrity.
Technical summary
The advisory describes abuse of CodeMeter’s internal WebSockets API via a specifically crafted JavaScript payload. Affected scope includes all versions prior to 7.00, and version 7.0 or newer if the affected WebSockets API is still enabled. CISA notes the issue is especially relevant where a web browser is used to access a web server, and that license-file alteration/creation can occur when this issue is combined with CVE-2020-14515.
Defensive priority
High
Recommended defensive actions
- Update Festo Automation Suite to version 2.8.0.138 or later, where CODESYS is no longer bundled.
- Install the latest patched CODESYS version directly from the official CODESYS website.
- Follow the vendor-provided installation and update instructions to ensure security fixes are applied.
- Review whether the affected CodeMeter WebSockets API is enabled on any version 7.0 or newer systems and reduce exposure where it is not required.
- Keep the Festo Automation Suite connector up to date by applying Festo-released updates promptly.
- Monitor official CODESYS and Festo security advisories for follow-on fixes or related issues such as CVE-2020-14515.
Evidence notes
Source evidence comes from CISA’s CSAF advisory ICSA-26-076-01 (source item URL provided) and its listed references to Festo, CODESYS, and CISA advisory pages. The advisory text explicitly states that all versions prior to 7.00 are affected, including version 7.0 or newer when the affected WebSockets API remains enabled, and that crafted JavaScript may alter or create license files when combined with CVE-2020-14515. Timing context is taken from the supplied advisory dates: published 2026-02-26 and modified 2026-03-17.
Official resources
-
CVE-2020-14519 CVE record
CVE.org
-
CVE-2020-14519 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and republished/updated it on 2026-03-17. The vulnerability is documented as affecting Festo Automation Suite/CODESYS-related deployments rather than being tied to the generation date of this de