PatchSiren cyber security CVE debrief
CVE-2022-47390 CODESYS CVE debrief
CVE-2022-47390 is an authenticated, remote stack-based out-of-bounds write in the CmpTraceMgr component used by multiple CODESYS product versions, including CODESYS components associated with Festo Automation Suite. CISA rates the issue 8.8 High and notes impacts that can range from denial of service to memory overwriting and remote code execution. The defensive priority is high because the vulnerable path is network-reachable, does not require user interaction, and affects industrial software bundles that may be deployed on engineering or operational systems.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT and industrial automation teams using Festo Automation Suite, especially installations that bundled CODESYS Development System components; plant engineers, system integrators, and patch-management teams responsible for CODESYS-based tooling.
Technical summary
The advisory describes a stack-based out-of-bounds write in CmpTraceMgr, which aligns with CWE-787. Exploitation requires authentication but no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The source advisory ties affected configurations to Festo Automation Suite versions below 2.8.0.138 and to bundled or external CODESYS Development System components, with vendor remediation guidance to move to patched CODESYS builds and updated Festo releases.
Defensive priority
High. This is a network-reachable authenticated memory-corruption issue with potential for denial of service, memory overwriting, and remote code execution in an OT-adjacent product bundle.
Recommended defensive actions
- Inventory all Festo Automation Suite deployments and determine whether CODESYS is bundled or installed as an external component.
- Upgrade Festo Automation Suite to version 2.8.0.138 or later; the advisory states that CODESYS is no longer bundled starting with that release.
- Install the latest patched CODESYS version directly from the official CODESYS website and follow its update guidance.
- Restrict authenticated access to the affected CODESYS interfaces and limit exposure to trusted administrative networks and accounts.
- Apply Festo connector updates as they are released and monitor both Festo PSIRT and CODESYS security advisories.
- Validate backups and recovery procedures for engineering workstations and OT systems that rely on the affected software bundle.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-076-01, which republishes the vendor advisory for Festo Automation Suite and lists affected product/version combinations, remediation steps, and the CVSS vector. The source corpus consistently describes the vulnerability as a stack-based out-of-bounds write in CmpTraceMgr leading to DoS, memory overwriting, or RCE. The vendor/product labeling in the prompt is low-confidence and should be treated as provisional; the advisory title and references point to Festo Automation Suite with CODESYS components rather than a standalone FESTO product name.
Official resources
-
CVE-2022-47390 CVE record
CVE.org
-
CVE-2022-47390 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-26 and updated/republished it on 2026-03-17 from Festo advisory materials. The CVE record identifies the issue as CVE-2022-47390.