PatchSiren cyber security CVE debrief
CVE-2021-36765 Unknown Vendor CVE debrief
CVE-2021-36765 affects CODESYS EtherNetIP versions before 4.1.0.0 and is described in the supplied CISA CSAF advisory for Festo Automation Suite deployments that include the vulnerable component. The issue is a null pointer dereference in the downloaded EtherNet/IP stack executed by the CODESYS Control runtime system. Because the trigger is network-based and the source rates the issue High (7.5), organizations running exposed OT/ICS engineering or runtime environments should treat this as a priority patching item. The supplied advisory was initially published on 2026-02-26 and republished on 2026-03-17.
- Vendor
- Unknown Vendor
- Product
- FESTO
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS operators, Festo Automation Suite administrators, and engineers running CODESYS Control runtime systems or EtherNet/IP-enabled industrial environments should care most. Network defenders responsible for segmentation, exposure reduction, and patch management on industrial networks should also review this advisory.
Technical summary
The supplied advisory states that specific EtherNet/IP requests can cause a null pointer dereference in a downloaded vulnerable EtherNet/IP stack that is executed by the CODESYS Control runtime system. The affected CODESYS EtherNetIP component is identified as being before 4.1.0.0. The remediation notes indicate that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be downloaded and installed separately, and users should obtain the latest patched CODESYS release directly from the official CODESYS website.
Defensive priority
High priority for environments that use CODESYS-based industrial automation and have any network exposure to EtherNet/IP traffic. The issue is network-triggerable and can impact runtime availability, so it should be scheduled promptly for inventory, validation, and patch deployment.
Recommended defensive actions
- Inventory Festo Automation Suite and CODESYS installations, then identify any systems using CODESYS EtherNetIP before 4.1.0.0.
- Upgrade to the latest patched CODESYS release from the official CODESYS website.
- Update Festo Automation Suite to 2.8.0.138 or later and keep the FAS connector current.
- Limit EtherNet/IP exposure to trusted industrial network segments and review firewall or segmentation controls.
- Follow CISA ICS recommended practices and apply updates through a controlled maintenance process.
Evidence notes
The source corpus is the CISA CSAF advisory ICSA-26-076-01 and its referenced materials. The advisory metadata names CODESYS EtherNetIP before 4.1.0.0 and describes a null pointer dereference triggered by specific EtherNet/IP requests. The remediation text says Festo Automation Suite 2.8.0.138 no longer bundles CODESYS and directs customers to obtain patched CODESYS releases from the official vendor. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, while the narrative description emphasizes a crash-prone null pointer dereference; that source inconsistency is noted here rather than resolved. Vendor attribution in the prompt is low confidence, so this debrief focuses on the exposed product chain rather than a vendor guess.
Official resources
-
CVE-2021-36765 CVE record
CVE.org
-
CVE-2021-36765 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through CISA CSAF advisory ICSA-26-076-01, initially published 2026-02-26 and republished 2026-03-17.