CVE-2022-32138 Unknown Vendor CVE debrief

Who should care

OT/ICS teams, Festo Automation Suite users, and engineers managing CODESYS development systems on Windows engineering workstations or similar hosts.

Technical summary

The advisory lists affected Festo Automation Suite deployments below 2.8.0.138 and associated CODESYS Development System components, including 3.0, 3.5.16.10, and 3.5.21.20 in the documented product combinations. The flaw is an unexpected sign extension in request handling; the vendor advisory describes outcomes ranging from denial of service to memory overwrite. No exploit details are provided in the source corpus.

Defensive priority

High

Recommended defensive actions

• Upgrade Festo Automation Suite to 2.8.0.138 or later, where bundled CODESYS is no longer included.
• Install the latest patched CODESYS release directly from the official CODESYS website and follow the vendor's update instructions.
• Verify affected engineering workstations and deployments for bundled or separately installed CODESYS components and replace outdated versions.
• Keep the Festo Automation Suite connector up to date using Festo-released updates.
• Monitor CODESYS and Festo security advisories and apply fixes promptly.

Evidence notes

Based on the CISA CSAF advisory ICSA-26-076-01 (republished from Festo advisory FSA-202601) and the linked Festo/CERT VDE references. The source explicitly names Festo Automation Suite versions below 2.8.0.138 and associated CODESYS versions as affected, and states the issue can cause DoS or memory overwrite.

Official resources