PatchSiren cyber security CVE debrief
CVE-2021-30195 Unknown Vendor CVE debrief
CVE-2021-30195 describes an improper input validation issue in CODESYS V2 runtime system versions before 2.4.7.55. In the CISA-republished Festo advisory context, this appears in Festo Automation Suite deployments that include CODESYS components. The published CVSS vector indicates a network-reachable, unauthenticated issue with high availability impact and no documented confidentiality or integrity impact in the supplied source material.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT and industrial-control teams running Festo Automation Suite, administrators of systems that include CODESYS V2 runtime components, and patch-management owners responsible for engineering workstations or runtime environments that must stay aligned with vendor security advisories.
Technical summary
The supplied advisory text identifies improper input validation in CODESYS V2 runtime system before version 2.4.7.55. The associated CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which describes a network-exploitable issue requiring no privileges or user interaction and resulting in high availability impact. The CISA source item republishes a Festo advisory and notes Festo Automation Suite product contexts that include CODESYS components, with remediation directing customers to use a patched CODESYS release and updated Festo Automation Suite releases.
Defensive priority
High. Prioritize remediation wherever CODESYS V2 runtime before 2.4.7.55 is present, especially in Festo Automation Suite deployments or OT environments where availability loss could disrupt operations.
Recommended defensive actions
- Confirm whether any installed CODESYS V2 runtime components are earlier than 2.4.7.55 and plan immediate replacement or update.
- Update Festo Automation Suite to version 2.8.0.138 or later, where CODESYS is no longer bundled with the suite.
- Download and install the latest patched CODESYS release directly from the official CODESYS website.
- Follow the vendor installation and update instructions so all security fixes are applied correctly.
- Monitor CODESYS security advisories regularly and apply updates promptly.
- Keep the Festo Automation Suite connector up to date by installing Festo-released updates as they are made available.
Evidence notes
The source corpus is a CISA CSAF advisory (ICSA-26-076-01) republishing a Festo advisory. The advisory description explicitly states that CODESYS V2 runtime system before 2.4.7.55 has improper input validation. The remediation section names Festo Automation Suite 2.8.0.138 as a boundary where CODESYS is no longer bundled, and recommends using patched CODESYS releases from the official vendor. The product/vendor mapping in the prompt is low confidence and should be treated as needing review because the source references span Festo, CODESYS, and CERTVDE context.
Official resources
-
CVE-2021-30195 CVE record
CVE.org
-
CVE-2021-30195 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and issued a republication update on 2026-03-17 as an initial CISA republication of the Festo SE & Co. KG advisory. Use the CVE publication date in that advisory timeline as the timing reference.