PatchSiren cyber security CVE debrief
CVE-2023-37550 CODESYS CVE debrief
CVE-2023-37550 is a post-authentication denial-of-service issue affecting multiple CODESYS product combinations used with Festo Automation Suite. The advisory says that crafted network communication requests with inconsistent content can make the CmpApp component read from an invalid address, which can disrupt availability. The source also lists impacted Festo Automation Suite releases below 2.8.0.138 and specific bundled CODESYS Development System versions, with remediation centered on using patched CODESYS releases and keeping the Festo connector updated.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS defenders, Festo Automation Suite administrators, and teams responsible for engineering workstations or other systems running bundled CODESYS components in operational environments.
Technical summary
The issue is described as an authenticated, network-reachable input-handling flaw in CmpApp. After successful user authentication, specially crafted requests with inconsistent content can cause an internal read from an invalid address, potentially crashing the component and causing denial of service. The supplied CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which matches the advisory's availability-only impact.
Defensive priority
Medium to high for exposed automation engineering systems. The vulnerability is network-based and can interrupt availability, but it requires valid user authentication and does not indicate confidentiality or integrity impact.
Recommended defensive actions
- Inventory Festo Automation Suite installations and identify affected versions and bundled CODESYS combinations listed in the advisory.
- Update to patched CODESYS releases obtained from the official CODESYS website and follow the vendor's installation guidance.
- Move Festo Automation Suite to version 2.8.0.138 or later, and keep the Festo Automation Suite connector updated.
- Limit and review user authentication on engineering and automation systems, since exploitation requires successful login.
- Restrict network access to trusted management and engineering segments and monitor for abnormal CmpApp crashes or service interruptions.
- Track Festo, CODESYS, and CISA advisories for follow-on updates.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-076-01, which republishes the Festo advisory for this CVE. The advisory states that in multiple CODESYS products and versions, crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid address after successful authentication, potentially leading to denial of service. The advisory metadata also lists affected Festo Automation Suite and CODESYS Development System combinations and provides remediation guidance. The supplied CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. No KEV entry is supplied.
Official resources
-
CVE-2023-37550 CVE record
CVE.org
-
CVE-2023-37550 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the source advisory on 2026-02-26 and republished it with an updated revision on 2026-03-17. No Known Exploited Vulnerabilities (KEV) listing is supplied for this CVE.