PatchSiren

PatchSiren cyber security CVE debrief

CVE-2021-33486 Unknown Vendor CVE debrief

CVE-2021-33486 is a high-severity availability issue tied to CODESYS components used in Festo-related deployments. The CISA CSAF advisory says the affected CODESYS V3 Runtime Toolkit for VxWorks versions run from V3.5.8.0 through before V3.5.17.10, and the CVSS vector shows network access with no privileges or user interaction required and a high availability impact.

Vendor
Unknown Vendor
Product
FESTO
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-26
Original CVE updated
2026-03-17
Advisory published
2026-02-26
Advisory updated
2026-03-17

Who should care

OT/ICS operators, system integrators, and maintenance teams that use Festo Automation Suite deployments with bundled CODESYS components, as well as anyone running the affected CODESYS V3 Runtime Toolkit for VxWorks versions.

Technical summary

The advisory describes improper handling of exceptional conditions in CODESYS V3 Runtime Toolkit for VxWorks, affecting versions V3.5.8.0 through before V3.5.17.10. The listed CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a network-reachable issue that needs no user interaction or privileges and primarily affects availability.

Defensive priority

High. The issue is remotely reachable, requires no authentication or user interaction, and can impact availability in industrial environments; prioritize any deployed or bundled CODESYS instances that match the affected range.

Recommended defensive actions

  • Confirm whether any deployed CODESYS V3 Runtime Toolkit for VxWorks instance is in the affected range (V3.5.8.0 through before V3.5.17.10).
  • Update to the latest patched CODESYS release from the official CODESYS website, following the vendor’s installation and update instructions.
  • If you use Festo Automation Suite, install the latest FAS updates and verify the installed CODESYS component version; starting with FAS 2.8.0.138, CODESYS is no longer bundled and must be installed separately by the user
  • Monitor CODESYS, Festo, and CISA advisories for version-specific follow-up guidance and apply updates promptly when released.
  • Maintain an asset/version inventory for CODESYS-related components so future patching can be applied quickly.

Evidence notes

The primary evidence is the CISA CSAF advisory ICSA-26-076-01, published on 2026-02-26 and modified on 2026-03-17, which explicitly states: “All versions of the CODESYS V3 Runtime Toolkit for VxWorks from version V3.5.8.0 and before version V3.5.17.10 have Improper Handling of Exceptional Conditions.” The same source’s remediation section recommends downloading the latest patched CODESYS version from the official website, following CODESYS update instructions, monitoring CODESYS advisories, and keeping the Festo Automation Suite connector up to date. The advisory also links to CISA’s ICS advisory page, Festo PSIRT, and CERT@VDE resources.

Official resources

CISA published ICSA-26-076-01 on 2026-02-26 and republished it on 2026-03-17 from Festo SE & Co. KG advisory FSA-202601; the source material ties the CVE to CODESYS components used in Festo-related deployments.