PatchSiren cyber security CVE debrief
CVE-2021-30190 Unknown Vendor CVE debrief
CVE-2021-30190 is a critical improper access control issue affecting CODESYS V2 Web-Server versions before 1.1.9.20. In the supplied CISA advisory, the issue is published as part of a Festo Automation Suite/CODESYS context and carries a 9.8 CVSS score. The safest response is to move to patched CODESYS builds and keep the related Festo Automation Suite connector updated.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS defenders, plant engineers, and software maintainers responsible for Festo Automation Suite deployments that include CODESYS components, especially any environment running CODESYS V2 Web-Server instances.
Technical summary
The source advisory states that CODESYS V2 Web-Server before 1.1.9.20 has improper access control. CISA’s republished guidance ties the issue to Festo Automation Suite configurations that bundled CODESYS components, and notes that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be obtained separately. The supplied CVSS vector is network-accessible, requires no privileges or user interaction, and rates confidentiality, integrity, and availability impact as high.
Defensive priority
Immediate patching and exposure review are warranted given the critical 9.8 severity and the source’s network/no-auth CVSS profile.
Recommended defensive actions
- Install the latest patched CODESYS release from the official CODESYS website.
- Follow the vendor installation and update instructions so all security fixes are applied.
- Update the Festo Automation Suite connector to the latest available version.
- Review deployments for any CODESYS V2 Web-Server instances running before 1.1.9.20 and prioritize remediation.
- Monitor the CODESYS and Festo security advisories for follow-on updates.
Evidence notes
The supplied source item is CISA advisory ICSA-26-076-01, published 2026-02-26 and republished/modified 2026-03-17, with the advisory text: "CODESYS V2 Web-Server before 1.1.9.20 has Improper Access Control." The remediation section explicitly says that from Festo Automation Suite 2.8.0.138 onward, CODESYS is no longer bundled and must be downloaded separately, and recommends installing the latest patched CODESYS release. Vendor mapping in the prompt is marked low confidence and needs review, so this debrief treats Festo as advisory context rather than a confirmed standalone product attribution.
Official resources
-
CVE-2021-30190 CVE record
CVE.org
-
CVE-2021-30190 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA CSAF advisory ICSA-26-076-01 was published on 2026-02-26 and republished on 2026-03-17. No KEV entry is present in the supplied corpus.