PatchSiren cyber security CVE debrief
CVE-2023-3663 CODESYS CVE debrief
CVE-2023-3663 is a high-severity issue in CODESYS Development System where a missing integrity check may allow an unauthenticated remote attacker to manipulate notification content received over HTTP by the CODESYS notification server. The advisory context in the supplied source is tied to Festo Automation Suite deployments that include CODESYS components, but the vulnerability statement itself is specific to the CODESYS Development System version range. Systems running affected versions should be treated as exposed until patched or otherwise updated from the vendor’s official release path.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
Administrators and engineers responsible for CODESYS Development System installations from 3.5.11.20 up to, but not including, 3.5.19.20, especially where the software is deployed as part of or alongside Festo Automation Suite. OT/ICS teams should pay particular attention to any environment where the CODESYS notification server is reachable over HTTP.
Technical summary
The source advisory states that in CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20, a missing integrity check may let an unauthenticated remote attacker manipulate the content of notifications received via HTTP by the CODESYS notification server. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network reachability, no privileges, and user interaction requirement. CISA’s CSAF republication on 2026-03-17 preserves the same core issue description and remediation context.
Defensive priority
High — prioritize patching and version validation now, especially for any internet- or broadly network-reachable deployment.
Recommended defensive actions
- Upgrade CODESYS Development System to a patched version at or above 3.5.19.20, or deploy the latest official CODESYS release recommended by the vendor.
- If CODESYS is delivered through Festo Automation Suite, confirm whether your suite version bundles CODESYS or requires separate installation; Festo notes that starting with Automation Suite 2.8.0.138, CODESYS is no long
- Use only the official CODESYS download and update process so vendor security fixes are applied correctly.
- Track CODESYS and Festo security advisories regularly and apply updates promptly when new fixes are released.
- Inventory affected systems and verify the exact installed CODESYS Development System version before and after remediation.
- Reduce exposure to the CODESYS notification server where possible by limiting network access to trusted management paths until systems are patched.
Evidence notes
The supplied source is the CISA CSAF advisory ICSA-26-076-01, published 2026-02-26 and republished on 2026-03-17, with an advisory title of “CODESYS in Festo Automation Suite.” Its description states that CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 have a missing integrity check that may allow an unauthenticated remote attacker to manipulate notification content received via HTTP by the CODESYS notification server. The source also includes remediation guidance to use official CODESYS updates and to keep the Festo Automation Suite connector current.
Official resources
-
CVE-2023-3663 CVE record
CVE.org
-
CVE-2023-3663 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the CSAF advisory on 2026-02-26 and republished it on 2026-03-17. The supplied timing fields should be treated as the advisory publication and modification dates, not as the vulnerability creation date.