CVE-2021-21869 Unknown Vendor CVE debrief

Who should care

Industrial automation and OT teams using Festo Automation Suite or CODESYS Development System, especially engineering workstations and support systems that open, import, or exchange project/profile files. Security and patch-management teams responsible for vendor software in plant, lab, or staging environments should also prioritize review.

Technical summary

The vulnerability is an unsafe deserialization condition in the Engine.plugin ProfileInformation ProfileData functionality. The attack path described in the advisory is file-based: a maliciously crafted file can trigger arbitrary command execution. The supplied CVSS vector indicates local access and user interaction are required (AV:L/PR:N/UI:R), but the impact is high because confidentiality, integrity, and availability are all rated high. The Festo remediation guidance says that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be installed separately; customers should obtain the latest patched CODESYS release directly from the official CODESYS site and keep the FAS connector updated.

Defensive priority

High. Prioritize if affected CODESYS components are present on engineering or maintenance systems, or if those systems handle files from external or untrusted sources. Risk is lower only after confirming the affected versions are absent or patched.

Recommended defensive actions

• Inventory Festo Automation Suite and any standalone CODESYS Development System installations to confirm whether affected components are present.
• Upgrade to the latest patched CODESYS release from the official CODESYS website and follow the vendor's installation and update instructions.
• If you use Festo Automation Suite, move to a version that no longer bundles CODESYS as described by Festo and keep the FAS connector updated.
• Treat imported project and profile files as untrusted input and limit file exchange to trusted sources and approved workflows.
• Monitor CISA, Festo, and CODESYS security advisories and apply updates promptly across engineering workstations and OT support systems.
• Verify that development, test, backup, and production images all use the same patched component versions before redeployment.

Evidence notes

The primary evidence is CISA CSAF advisory ICSA-26-076-01, which republishes Festo SE & Co. KG advisory FSA-202601. The advisory text explicitly states that the vulnerability is an unsafe deserialization issue in Engine.plugin ProfileInformation ProfileData and that a specially crafted file can lead to arbitrary command execution. The supplied metadata also shows some mapping uncertainty: the prompt vendor fields are low-confidence and the product names include multiple version strings, so the debrief should treat the Festo/CODESYS association as advisory-driven rather than inferred.

Official resources