PatchSiren cyber security CVE debrief
CVE-2021-30187 Unknown Vendor CVE debrief
CVE-2021-30187 is a medium-severity command-injection issue in CODESYS V2 runtime system SP before 2.4.7.55. In the CISA-republished advisory, the issue is tied to Festo Automation Suite deployments that include CODESYS components. The published CVSS vector indicates local exploitation with low privileges and no user interaction, which makes this primarily an OT engineering-workstation risk rather than a remote exposure event. Festo's remediation guidance says Festo Automation Suite 2.8.0.138 no longer bundles CODESYS, and customers should install patched CODESYS directly and keep the FAS connector updated.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT administrators, ICS/automation engineers, and patch-management teams supporting Festo Automation Suite installations that include CODESYS components, especially on engineering workstations.
Technical summary
The advisory describes improper neutralization of special elements used in an OS command (CWE-78) in CODESYS V2 runtime system SP before 2.4.7.55. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L with a score of 5.3. CISA's republished CSAF associates the issue with Festo Automation Suite environments and points to vendor guidance to separate CODESYS from the suite and apply the latest patched release.
Defensive priority
Medium priority, with higher urgency if Festo Automation Suite is deployed and local users or service accounts can interact with CODESYS-related runtime components.
Recommended defensive actions
- Inventory Festo Automation Suite installations and identify any systems that include CODESYS components.
- Update CODESYS to a version that is not affected by the advisory; the source states the vulnerable CODESYS V2 runtime system SP is before 2.4.7.55.
- Upgrade Festo Automation Suite to 2.8.0.138 or later, since the source notes CODESYS is no longer bundled starting with 2.8.0.138.
- Follow the official CODESYS installation and update instructions so security fixes are actually applied.
- Keep the Festo Automation Suite connector current and monitor CODESYS security advisories for follow-on fixes.
- Limit local interactive access on engineering workstations and review privileges for accounts that can reach CODESYS runtime functions.
Evidence notes
Evidence in the supplied corpus comes from CISA's CSAF republishing Festo SE & Co. KG advisory ICSA-26-076-01. The source describes CVE-2021-30187 as 'CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command.' The remediation text explicitly says Festo Automation Suite version 2.8.0.138 no longer bundles CODESYS. The supplied vendor metadata is low-confidence and inconsistent, so asset identification should rely on the advisory text rather than the vendor label.
Official resources
-
CVE-2021-30187 CVE record
CVE.org
-
CVE-2021-30187 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA first published the advisory on 2026-02-26 and republished it on 2026-03-17 after incorporating Festo's advisory content. The CVE identifier is older, but the timing context in this corpus is the 2026 advisory publication and republica