PatchSiren cyber security CVE debrief
CVE-2021-21866 Unknown Vendor CVE debrief
CVE-2021-21866 is a high-severity unsafe deserialization issue in CODESYS ProfileInformation.ProfileData. According to the advisory, a specially crafted file can trigger arbitrary command execution, making affected engineering workstations and OT environments a priority for patching.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS administrators, engineering workstation owners, and security teams using CODESYS Development System 3.5.16 or 3.5.17, especially where CODESYS is installed through or alongside Festo Automation Suite.
Technical summary
The source advisory identifies an unsafe deserialization weakness in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System. The reported impact is arbitrary command execution when a malicious file is supplied and opened. The provided CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a local attack that requires user interaction but can have high confidentiality, integrity, and availability impact. The remediation guidance also notes that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be installed separately, with customers directed to install a patched CODESYS release from the official CODESYS website.
Defensive priority
High for engineering endpoints and OT assets that process untrusted files; prioritize if CODESYS is installed on user-accessible systems or bundled into Festo Automation Suite deployments.
Recommended defensive actions
- Upgrade Festo Automation Suite to version 2.8.0.138 or later, where CODESYS is no longer bundled.
- Install the latest patched CODESYS release directly from the official CODESYS website, following vendor update instructions.
- Treat files opened by CODESYS/ProfileInformation.ProfileData as untrusted until the environment is updated and validated.
- Keep the Festo Automation Suite connector current and monitor CODESYS security advisories for follow-on fixes.
Evidence notes
The supplied CISA CSAF advisory (ICSA-26-076-01) was initially published on 2026-02-26 and republished on 2026-03-17. Its text attributes the issue to unsafe deserialization in ObjectManager.plugin ProfileInformation.ProfileData and states that a crafted file can cause arbitrary command execution. The prompt's vendor metadata is low-confidence and should be reviewed; the source advisory title is 'CODESYS in Festo Automation Suite' and the references point to CODESYS/Festo materials.
Official resources
-
CVE-2021-21866 CVE record
CVE.org
-
CVE-2021-21866 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through a CISA CSAF advisory and related vendor references. The source history shows an initial publication on 2026-02-26 and a CISA republication on 2026-03-17.