PatchSiren cyber security CVE debrief
CVE-2023-37552 CODESYS CVE debrief
CVE-2023-37552 is an authenticated denial-of-service issue affecting multiple CODESYS products as deployed with Festo Automation Suite. The advisory says that, after successful user authentication, specially crafted network communication requests with inconsistent content can make the CmpAppBP component read from an invalid internal address, potentially crashing or otherwise denying service. CISA published the advisory on 2026-02-26 and republished it on 2026-03-17 after adopting the Festo advisory material.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS operators using Festo Automation Suite with bundled CODESYS components, engineering workstation administrators, and security teams responsible for authenticated access to industrial automation tooling should care most. Environments where users can reach the affected CmpAppBP component are the primary concern.
Technical summary
The source advisory describes a post-authentication flaw in CmpAppBP: inconsistent crafted network requests can trigger an invalid internal read, which may result in a denial-of-service condition. The impact described is availability-only (CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), with no source-backed indication of code execution or data theft. The affected scope centers on Festo Automation Suite deployments that bundled CODESYS, particularly versions prior to 2.8.0.138 per the remediation guidance.
Defensive priority
Medium overall, with higher operational priority in production OT environments where authenticated access to the affected component is available.
Recommended defensive actions
- Update to the latest patched CODESYS release from the official CODESYS website.
- If using Festo Automation Suite, move to Festo Automation Suite 2.8.0.138 or later and follow Festo/CODESYS installation and update instructions.
- Verify whether any affected CODESYS component is still bundled or installed separately in your environment and patch it directly if needed.
- Monitor official CODESYS, Festo PSIRT, and CISA advisories for follow-on updates or version guidance.
- Apply CISA ICS defense-in-depth and recommended practices to limit which authenticated users and engineering systems can reach the affected service.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-076-01 and its source JSON, which state that authenticated crafted network requests with inconsistent content can cause CmpAppBP to read from an invalid address and potentially deny service. The remediation section states that Festo Automation Suite versions prior to 2.8.0.138 bundled CODESYS, and that CODESYS is no longer bundled starting with 2.8.0.138. The advisory references the Festo CSAF advisory FSA-202601 and the Festo PSIRT pages. Source metadata contains a vendor/product mapping inconsistency (vendorName 'Unknown Vendor' and productName 'FESTO'), so the debrief follows the advisory title and references rather than the metadata label alone.
Official resources
-
CVE-2023-37552 CVE record
CVE.org
-
CVE-2023-37552 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-076-01 on 2026-02-26 and republished it on 2026-03-17 after incorporating the Festo advisory information. This write-up is based on those dates, not on the generation date of this debrief.