PatchSiren cyber security CVE debrief
CVE-2021-21867 Unknown Vendor CVE debrief
CVE-2021-21867 is an unsafe deserialization issue in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS Development System 3.5.16 and 3.5.17. According to the CISA-republished Festo advisory, a specially crafted file can trigger arbitrary command execution when processed by the affected software. In the Festo context, the issue is relevant to Festo Automation Suite deployments that bundle or depend on CODESYS components, and the vendor guidance emphasizes updating to patched CODESYS releases and keeping Festo Automation Suite components current.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
Industrial automation teams, OT/ICS administrators, and engineers who use Festo Automation Suite or install/manage CODESYS Development System components. Organizations that open or exchange project/profile files with these tools should treat this as a priority due to the command-execution impact.
Technical summary
The vulnerable behavior is an unsafe deserialization path in CODESYS Development System’s ObjectManager.plugin ObjectStream.ProfileByteArray functionality. The advisory states that a specially crafted file can cause arbitrary command execution. CISA’s CSAF advisory republishes Festo’s guidance and connects the CVE to Festo Automation Suite deployments, including versions where CODESYS was bundled as an external component or installed alongside the suite. The source corpus identifies the vulnerable CODESYS versions as 3.5.16 and 3.5.17.
Defensive priority
High. The combination of arbitrary command execution and file-triggered exposure makes this a serious risk in OT environments, especially where affected CODESYS components are installed or where users may open untrusted files.
Recommended defensive actions
- Update CODESYS Development System to the latest patched version provided by the vendor.
- Install Festo Automation Suite updates promptly; Festo’s guidance notes that starting with version 2.8.0.138, CODESYS is no longer bundled and must be obtained separately.
- Follow the official CODESYS installation and update instructions to ensure security fixes are applied correctly.
- Review where CODESYS components are present in your environment, including external components bundled with Festo Automation Suite.
- Limit exposure to untrusted or externally supplied files that could be opened by affected CODESYS tooling.
- Monitor vendor advisories from both Festo and CODESYS for follow-on guidance and patch notices.
Evidence notes
This debrief is grounded in the supplied CISA CSAF advisory (ICSA-26-076-01), which republishes Festo SE & Co. KG advisory FSA-202601, and in the advisory text stating that unsafe deserialization in CODESYS Development System 3.5.16 and 3.5.17 can lead to arbitrary command execution via a crafted file. Timing reflects the provided CVE published date of 2026-02-26 and modified date of 2026-03-17.
Official resources
-
CVE-2021-21867 CVE record
CVE.org
-
CVE-2021-21867 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2021-21867 was published on 2026-02-26 and last modified on 2026-03-17. The supplied source shows an initial CISA advisory publication on 2026-02-26 and a republication on 2026-03-17 incorporating Festo advisory FSA-202601. No exploit-w