PatchSiren cyber security CVE debrief
CVE-2023-37546 CODESYS CVE debrief
CVE-2023-37546 affects multiple CODESYS products and Festo Automation Suite deployments that bundle specific CODESYS versions. After successful user authentication, crafted network communication requests with inconsistent content can make the CmpApp component read from an invalid internal address, which can lead to a denial-of-service condition. The issue is documented in CISA’s republication of the Festo advisory and is distinct from CVE-2023-37545, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, and CVE-2023-37550.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS operators using Festo Automation Suite, administrators of CODESYS-based engineering or runtime environments, and vulnerability management teams responsible for availability-sensitive industrial systems.
Technical summary
The advisory describes an authenticated network-triggered availability issue in the CmpApp component. An attacker must first authenticate as a user, then send specific crafted requests with inconsistent content to provoke an internal read from an invalid address. The reported impact is denial of service only (CVSS 6.5, AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Affected configurations listed in the source include Festo Automation Suite versions below 2.8.0.138 with bundled CODESYS Development System 3.0 or 3.5.16.10, and CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138.
Defensive priority
Medium. Prioritize if the affected CODESYS/Festo stack is present in production or safety-relevant environments, since availability loss in OT systems can have outsized operational impact.
Recommended defensive actions
- Inventory Festo Automation Suite and CODESYS installations and match them against the affected version combinations listed in the advisory.
- Upgrade to the latest patched CODESYS release from the official CODESYS website and follow the vendor’s installation/update guidance.
- If using Festo Automation Suite, update to version 2.8.0.138 or later and verify the required CODESYS component has been updated separately, since CODESYS is no longer bundled starting with that release.
- Keep the Festo Automation Suite connector updated by applying Festo releases as they are issued.
- Restrict authenticated access to engineering and maintenance accounts using least privilege and strong access controls.
- Monitor for anomalous authenticated requests affecting CODESYS/CmpApp-related traffic and prepare maintenance and recovery plans to restore availability if needed.
Evidence notes
The source corpus is CISA’s CSAF republication of the Festo advisory for “CODESYS in Festo Automation Suite,” published 2026-02-26 and revised 2026-03-17. The advisory lists affected Festo Automation Suite/CODESYS version combinations and recommends updating to patched CODESYS and keeping Festo Automation Suite components current. The supplied data marks the issue as not present in CISA KEV. Vendor metadata in the prompt is inconsistent, so product applicability should be validated against the installed Festo/CODESYS combination rather than the vendor label alone.
Official resources
-
CVE-2023-37546 CVE record
CVE.org
-
CVE-2023-37546 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2023-37546 was published on 2026-02-26 and modified on 2026-03-17 in the supplied source timeline. CISA republished the Festo advisory as ICSA-26-076-01 on those same dates in the provided corpus. No KEV listing was supplied.