PatchSiren cyber security CVE debrief
CVE-2021-29240 Unknown Vendor CVE debrief
CVE-2021-29240 affects the CODESYS Package Manager in CODESYS Development System 3 before 3.5.17.0. According to the CISA-republished Festo advisory, the package manager does not properly check package validity before installation, which can allow installation of CODESYS packages containing malicious content. In the Festo Automation Suite context, the advisory notes that CODESYS was bundled in earlier suite releases and later removed from the bundle starting with version 2.8.0.138, shifting customers to install CODESYS separately from the official source.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS administrators, automation engineers, and security teams responsible for Festo Automation Suite and CODESYS Development System deployments. Prioritize any environment where operators install or update CODESYS packages on engineering workstations or other trusted build/configuration systems.
Technical summary
The vulnerability is described as a package-validation weakness in the CODESYS Package Manager. The source advisory states that versions of CODESYS Development System 3 before 3.5.17.0 do not check the validity of packages before installation, creating an opportunity to install packages with malicious content. The supplied CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local execution context with user interaction and high potential impact if a malicious package is installed. The CISA CSAF source ties the issue to Festo Automation Suite deployments that include CODESYS components.
Defensive priority
High. The combination of user interaction, local installation flow, and high confidentiality/integrity/availability impact makes this a high-priority remediation item for engineering and OT environments.
Recommended defensive actions
- Upgrade CODESYS Development System 3 to version 3.5.17.0 or later.
- If you use Festo Automation Suite, upgrade to version 2.8.0.138 or later.
- Download patched CODESYS releases only from the official CODESYS website and follow the vendor's installation and update instructions.
- Keep the Festo Automation Suite connector up to date by applying Festo-released updates when available.
- Review CODESYS security advisories regularly and apply updates promptly.
Evidence notes
Source item ICSA-26-076-01 states: 'The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.' The same source lists remediation guidance to obtain patched CODESYS versions from the official website and notes that, starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled with the suite. The advisory metadata also includes the CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and a revision history showing initial publication on 2026-02-26 and republication on 2026-03-17.
Official resources
-
CVE-2021-29240 CVE record
CVE.org
-
CVE-2021-29240 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and recorded a republication/revision on 2026-03-17. The source metadata identifies the underlying vendor advisory as Festo FSA-202601 and the CISA tracking ID as ICSA-26-076-01.