PatchSiren cyber security CVE debrief
CVE-2021-30186 Unknown Vendor CVE debrief
CVE-2021-30186 is a high-severity heap-based buffer overflow in the CODESYS V2 runtime system SP before 2.4.7.55. In the CISA advisory corpus, this issue is associated with Festo Automation Suite deployments that bundled CODESYS components, and Festo’s remediation notes say newer Festo Automation Suite versions stop bundling CODESYS so customers must install patched CODESYS separately. The impact profile in the supplied CVSS vector is availability-only, which makes operational disruption the primary concern for OT environments.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS asset owners, plant engineers, and patch-management teams using Festo Automation Suite or any deployment that includes the affected CODESYS V2 runtime system SP. Security teams supporting industrial automation environments should also review exposed engineering workstations, test systems, and any managed package installations that may still carry pre-2.4.7.55 runtime components.
Technical summary
The source advisory describes a heap-based buffer overflow in CODESYS V2 runtime system SP versions before 2.4.7.55. The provided CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network-reachable conditions with no privileges or user interaction required and a primary denial-of-service/availability impact. The CISA republication ties the issue to Festo Automation Suite advisory content and lists remediation steps focused on installing the latest patched CODESYS release and keeping Festo Automation Suite connector updates current.
Defensive priority
High for OT environments running affected CODESYS V2 runtime components or older Festo Automation Suite builds; prioritize where availability loss would disrupt production or safety-related processes.
Recommended defensive actions
- Identify whether any assets use CODESYS V2 runtime system SP versions earlier than 2.4.7.55.
- Review Festo Automation Suite installations and determine whether they include bundled or separately installed CODESYS components.
- Upgrade to the latest patched CODESYS release from the official CODESYS website.
- Apply Festo Automation Suite updates as released, including connector updates referenced in the advisory.
- Validate that any separate CODESYS installations are tracked and patched independently of the Festo suite.
- Monitor CODESYS and Festo security advisories for follow-on updates and maintenance guidance.
- If immediate updating is not possible, use OT change-control and segmentation to reduce exposure of affected systems.
Evidence notes
This debrief is based on the supplied CISA CSAF source item for ICSA-26-076-01, which republishes Festo SE & Co. KG advisory FSA-202601. The source description states: 'CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow.' The advisory metadata also lists affected Festo Automation Suite product combinations and remediation guidance. The supplied dates place initial publication on 2026-02-26 and republication/modification on 2026-03-17. Vendor attribution in the prompt metadata is marked low confidence/needs review, so the summary avoids overstating the product/vendor relationship beyond what the source advisory supports.
Official resources
-
CVE-2021-30186 CVE record
CVE.org
-
CVE-2021-30186 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory published by CISA on 2026-02-26 and republished with an updated revision history on 2026-03-17. The source corpus does not include KEV listing information, and no ransomware-campaign linkage is provided.