PatchSiren cyber security CVE debrief
CVE-2023-3670 CODESYS CVE debrief
CVE-2023-3670 describes an unsafe directory-permissions issue in CODESYS Development System and CODESYS Scripting. On affected workstation installations, a locally present attacker could place disguised scripts in locations that legitimate users later trust and run, creating a path to unauthorized code execution in an engineering environment. The supplied advisory ties the issue to CODESYS components referenced in a Festo Automation Suite advisory republished by CISA, with a CVSS v3.1 score of 7.3 (HIGH).
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS defenders, engineering-workstation administrators, and application owners who deploy CODESYS Development System or CODESYS Scripting, especially where those components are bundled with or used alongside Festo Automation Suite.
Technical summary
The advisory states that CODESYS Development System 3.5.9.0 through 3.5.17.0 and CODESYS Scripting 4.0.0.0 through 4.1.0.0 have unsafe directory permissions. A local attacker with access to the workstation could place potentially harmful, disguised scripts in those directories so that a legitimate user may later execute them. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, which reflects local access and user interaction requirements, but also high potential impact if a trusted engineering user runs the planted script.
Defensive priority
High. The issue requires local access and user interaction, but it targets engineering workstations where script execution can have outsized operational impact. Treat remediation as urgent for any affected CODESYS deployment.
Recommended defensive actions
- Inventory workstations and engineering laptops that use CODESYS Development System or CODESYS Scripting, including any Festo Automation Suite deployments that bundle or reference those components.
- Upgrade to patched CODESYS releases as directed by the vendor advisory; the source remediation says to download the latest patched version directly from the official CODESYS website and follow the vendor installation and
- For Festo Automation Suite, keep the connector current and apply FAS updates as released by Festo; the advisory notes that starting with version 2.8.0.138, CODESYS is no longer bundled and must be installed separately by
- Review filesystem permissions on CODESYS-related directories and remove unnecessary write access, especially for non-admin local users.
- Monitor for unexpected or disguised scripts in CODESYS working and script directories, and validate script provenance before execution.
- Apply least privilege on engineering workstations and restrict local interactive access where operationally feasible.
Evidence notes
Primary facts come from the supplied CISA CSAF source item for ICSA-26-076-01, which republishes the Festo SE & Co. KG advisory. The source explicitly names the affected CODESYS versions, the unsafe directory-permissions condition, the local-access requirement, and the mitigation guidance. Vendor metadata in the prompt is low-confidence and mixed with Festo Automation Suite/CODESYS naming, so this debrief avoids asserting a single definitive vendor identity beyond what the source supports.
Official resources
-
CVE-2023-3670 CVE record
CVE.org
-
CVE-2023-3670 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
According to the supplied timeline, the CVE was published on 2026-02-26 and modified on 2026-03-17. CISA’s advisory source on the same dates republished the underlying Festo SE & Co. KG notice as ICSA-26-076-01.