PatchSiren cyber security CVE debrief
CVE-2021-21868 Unknown Vendor CVE debrief
CVE-2021-21868 is an unsafe deserialization issue in the ObjectManager.plugin Project.get_MissingTypes() path of CODESYS Development System 3.5.16 and 3.5.17. The supplied CISA CSAF advisory says a specially crafted file can lead to arbitrary command execution. The advisory was initially published on 2026-02-26 and updated on 2026-03-17. It also notes that Festo Automation Suite 2.8.0.138 no longer bundles CODESYS, shifting customers to separately installed, patched CODESYS releases.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT and engineering teams using Festo Automation Suite, especially installations that include CODESYS Development System 3.5.16 or 3.5.17; administrators responsible for workstations that open imported project files; and asset owners managing patching for industrial software.
Technical summary
The flaw is described as unsafe deserialization in ObjectManager.plugin Project.get_MissingTypes(). The published CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local access and user interaction are required, but successful abuse can still result in arbitrary command execution and high impact to confidentiality, integrity, and availability when a malicious file is processed.
Defensive priority
High. The attack requires user interaction, but the impact is severe and the affected software is used in engineering and industrial environments where malicious project files can be a practical delivery path.
Recommended defensive actions
- Upgrade to a patched CODESYS release from the official CODESYS website, following the vendor's installation and update instructions.
- Update Festo Automation Suite to version 2.8.0.138 or later, where CODESYS is no longer bundled and the connector is maintained separately.
- Review where CODESYS Development System 3.5.16 or 3.5.17 is installed, including systems bundled with older Festo Automation Suite releases.
- Restrict handling of untrusted project or configuration files on affected engineering workstations.
- Monitor CODESYS and Festo security advisories and apply fixes promptly when released.
- Use layered controls for OT/ICS endpoints, including least privilege and application allowlisting where practical.
Evidence notes
The source corpus explicitly states: "An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution." The remediation text says that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and customers should download the latest patched CODESYS version from the official CODESYS website. The supplied metadata contains a vendor/product mapping inconsistency (FESTO vs. CODESYS), so the affected-product scope should be treated as needing review.
Official resources
-
CVE-2021-21868 CVE record
CVE.org
-
CVE-2021-21868 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA's CSAF advisory ICSA-26-076-01 was published on 2026-02-26 and republished on 2026-03-17, with the advisory content sourced from Festo's FSA-202601 materials. Because the supplied metadata includes an inconsistency in vendor/product sc