PatchSiren cyber security CVE debrief
CVE-2021-21864 Unknown Vendor CVE debrief
CVE-2021-21864 is a high-severity unsafe deserialization issue in the ComponentModel ComponentManager.StartupCultureSettings function of CODESYS Development System 3.5.16 and 3.5.17. In the republished CISA advisory, it is described in the context of Festo Automation Suite packaging, where a specially crafted file can lead to arbitrary command execution. Because the attack path depends on a malicious file and user interaction, the main concern is code execution on engineering or automation endpoints that process untrusted files.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
Organizations running Festo Automation Suite or affected CODESYS Development System installations, especially OT, engineering, and automation teams that exchange project files, import configurations, or rely on vendor-supplied packages on shared workstations.
Technical summary
The advisory describes an unsafe deserialization weakness in ComponentModel ComponentManager.StartupCultureSettings. The provided CVSS vector indicates local attack conditions, low complexity, no privileges required, and user interaction required, with high confidentiality, integrity, and availability impact. The documented outcome is arbitrary command execution when a specially crafted file is processed.
Defensive priority
High for systems that handle supplier files, project imports, or other untrusted inputs; moderate for tightly isolated installations that never process external files, but still important because the impact is code execution.
Recommended defensive actions
- Upgrade to the latest patched CODESYS release from official CODESYS channels and follow the vendor's installation guidance.
- If using Festo Automation Suite, install the FAS updates released by Festo; the advisory states that starting with version 2.8.0.138, CODESYS is no longer bundled and must be installed separately.
- Treat project and configuration files as potentially hostile and restrict receipt of untrusted files on engineering workstations.
- Monitor CODESYS and Festo security advisories and apply updates promptly.
- Verify that affected CODESYS versions 3.5.16 and 3.5.17 are not present in deployed environments, including externally installed components.
Evidence notes
The source corpus contains a CISA CSAF advisory (ICSA-26-076-01) republished from Festo's advisory. Its revision history shows an initial release on 2026-02-26 and a republication on 2026-03-17. The advisory text names CODESYS Development System 3.5.16 and 3.5.17 and states that a specially crafted file can cause arbitrary command execution. The vendor metadata supplied with the prompt is inconsistent with the advisory text; the evidence links this issue to Festo Automation Suite packaging and CODESYS, so the product attribution should be reviewed.
Official resources
-
CVE-2021-21864 CVE record
CVE.org
-
CVE-2021-21864 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA's source advisory was published on 2026-02-26 and republished on 2026-03-17, based on the vendor advisory revision history included in the source corpus. This debrief uses the CVE published date for timing context and does not treat de