PatchSiren cyber security CVE debrief
CVE-2021-21865 Unknown Vendor CVE debrief
CVE-2021-21865 is an unsafe deserialization vulnerability in CODESYS PackageManagement.plugin ExtensionMethods.Clone() that can allow arbitrary command execution when a specially crafted file is processed. In the supplied advisory, the issue is tied to Festo Automation Suite deployments that include affected CODESYS components, and the reported severity is high (CVSS 7.8).
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS administrators, Festo Automation Suite operators, engineering workstations running CODESYS, and patch teams responsible for software distribution in industrial environments.
Technical summary
The advisory describes an unsafe deserialization flaw in PackageManagement.plugin ExtensionMethods.Clone() within CODESYS Development System 3.5.16. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local access with user interaction is required, but successful exploitation could yield full confidentiality, integrity, and availability impact. The source advisory associates exposure with Festo Automation Suite deployments that include CODESYS, including setups below version 2.8.0.138 and configurations using CODESYS Development System 3.5.16.10.
Defensive priority
High. Treat as a priority patching issue for any affected Festo/CODESYS installation, especially on engineering or operator workstations that process untrusted files.
Recommended defensive actions
- Update Festo Automation Suite to version 2.8.0.138 or later, where CODESYS is no longer bundled with the suite.
- Install the latest patched CODESYS release directly from the official CODESYS website, following vendor installation guidance.
- Review any systems running CODESYS Development System 3.5.16.10 or related bundled components and remove or replace vulnerable versions.
- Restrict handling of untrusted or specially crafted files on engineering workstations until remediation is complete.
- Monitor Festo and CODESYS security advisories and apply updates promptly across the OT environment.
Evidence notes
This debrief is based on CISA CSAF advisory ICSA-26-076-01 (published 2026-02-26, republished 2026-03-17) and the supplied source item text. The advisory explicitly names the unsafe deserialization issue, the affected CODESYS component, the malicious-file trigger, and the remediation shift introduced in Festo Automation Suite 2.8.0.138. The supplied CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, supporting a high-severity, user-interaction-dependent local attack scenario. The prompt metadata marks the vendor identity as low-confidence/needs review, so product naming should be treated carefully and anchored to the advisory title and affected-product listings.
Official resources
-
CVE-2021-21865 CVE record
CVE.org
-
CVE-2021-21865 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory on 2026-02-26, with a CISA republication on 2026-03-17. No KEV listing or ransomware-campaign use is indicated in the supplied corpus.