PatchSiren cyber security CVE debrief
CVE-2023-37551 CODESYS CVE debrief
CVE-2023-37551 affects CODESYS components used in Festo Automation Suite deployments. After successful authentication as a user, specially crafted network requests can use the CmpApp component to download files with any extension to the controller, bypassing the file-type filtering applied by CmpFileTransfer. The advisory says this can compromise the integrity of the CODESYS control runtime system.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT operators, control engineers, and administrators responsible for Festo Automation Suite installations that include affected CODESYS components, especially where authenticated users can reach controller services.
Technical summary
The issue is an authenticated network-access flaw in CmpApp. Instead of restricting downloads to the file types expected by the regular CmpFileTransfer path, CmpApp accepts arbitrary file extensions, allowing a user with valid credentials to place potentially harmful files on the controller. The supplied advisory associates the problem with a high integrity impact and a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5).
Defensive priority
Medium overall, but treat as high priority in OT environments because controller integrity can affect production behavior. Prioritize systems that expose authenticated CODESYS access and any Festo Automation Suite deployment using affected bundled components.
Recommended defensive actions
- Upgrade to patched CODESYS releases referenced by the vendor advisory and apply Festo Automation Suite updates as released.
- For Festo Automation Suite 2.8.0.138 and later, follow the vendor guidance that CODESYS is no longer bundled and must be installed separately from the official CODESYS source.
- Review which users have authenticated access to controller-facing services and restrict those accounts to the minimum required privileges.
- Monitor for unexpected file transfers or new files on affected controllers, especially where file extensions would normally be restricted.
- Track CISA and vendor advisories for any follow-up revisions or additional affected product/version clarifications.
Evidence notes
The supplied CISA CSAF advisory (ICSA-26-076-01) published on 2026-02-26 and republished on 2026-03-17 states that multiple CODESYS products and versions are affected, including Festo Automation Suite versions below 2.8.0.138 and listed bundled/external CODESYS components. The advisory text specifically says authenticated users can use CmpApp to download arbitrary file extensions and that the integrity of the CODESYS control runtime system may be compromised. The vendor attribution in the supplied dataset is marked low confidence and needs review, so this debrief focuses on the documented product and component relationship rather than broad vendor assumptions.
Official resources
-
CVE-2023-37551 CVE record
CVE.org
-
CVE-2023-37551 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Use 2026-02-26 as the CVE publication date. The source advisory was republished on 2026-03-17, but that is a modification/republication date, not the original vulnerability date.