PatchSiren cyber security CVE debrief
CVE-2021-29239 Unknown Vendor CVE debrief
CVE-2021-29239 is a high-severity weakness in CODESYS Development System 3 before 3.5.17.0. In the affected workflow, malicious documents or files embedded in libraries may be displayed or executed before their validity is checked. The supplied CISA advisory ties the issue to Festo Automation Suite deployments that include CODESYS components, making industrial engineering workstations and related OT build environments the main concern.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT and industrial automation teams using Festo Automation Suite, engineering workstations that open CODESYS libraries, and security teams responsible for patching CODESYS-based development tools in production-adjacent environments.
Technical summary
The advisory states that CODESYS Development System 3 before 3.5.17.0 can display or execute malicious documents or files embedded in libraries without first validating them. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a local attack path with low privileges required and potentially high impact. The CISA CSAF record also notes affected Festo Automation Suite versions and identifies 2.8.0.138 as the version where CODESYS is no longer bundled with the suite.
Defensive priority
High. This is a high-CVSS issue in a development component used in industrial automation environments, so patching should be prioritized on engineering and build systems that handle CODESYS libraries or Festo Automation Suite installations.
Recommended defensive actions
- Update CODESYS to version 3.5.17.0 or later, or install the latest patched release from the official CODESYS website.
- If using Festo Automation Suite, apply the latest FAS updates and ensure you are on a version at or above 2.8.0.138, where CODESYS is no longer bundled.
- Follow the vendor installation and update instructions so all security fixes are applied correctly.
- Review where CODESYS libraries and related documents are obtained from, and limit use to trusted sources and controlled workflows.
- Monitor CODESYS and Festo security advisories regularly and apply updates promptly.
Evidence notes
The supplied source corpus is the CISA CSAF advisory ICSA-26-076-01 for CVE-2021-29239, published 2026-02-26 and republished 2026-03-17 with Festo SE & Co. KG advisory input. The advisory description explicitly states that CODESYS Development System 3 before 3.5.17.0 may display or execute malicious documents or files embedded in libraries without validity checks. The remediation section states that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be downloaded and installed separately. No KEV entry is included in the supplied data.
Official resources
-
CVE-2021-29239 CVE record
CVE.org
-
CVE-2021-29239 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA first published the advisory on 2026-02-26 and issued a CISA republication on 2026-03-17 incorporating Festo SE & Co. KG advisory material. The supplied data does not include a KEV listing.