PatchSiren cyber security CVE debrief
CVE-2023-37554 CODESYS CVE debrief
CVE-2023-37554 affects multiple versions of CODESYS components used with Festo Automation Suite. After successful authentication, a crafted network communication request with inconsistent content can make the CmpAppBP component read from an invalid internal address, which may crash the service and cause denial of service. The advisory is distinct from CVE-2023-37552, CVE-2023-37553, CVE-2023-37555, and CVE-2023-37556. The practical concern is availability impact in operational environments where these engineering tools are used.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS administrators, engineering workstation owners, and patch-management teams using Festo Automation Suite with bundled or separately installed CODESYS components, especially where availability of engineering or control support systems matters.
Technical summary
The advisory describes an authenticated, network-reachable flaw in the CmpAppBP component used in multiple CODESYS product versions. A user with successful authentication can send crafted requests containing inconsistent content that trigger an invalid internal memory read, leading to a potential denial-of-service condition. The CVSS vector indicates network attack surface, low attack complexity, low privileges, no user interaction, and high availability impact, with no confidentiality or integrity impact reported.
Defensive priority
Medium. The issue requires authentication, but it can still interrupt OT/engineering availability. Prioritize remediation for exposed, shared, or mission-critical Festo/CODESYS installations.
Recommended defensive actions
- Inventory Festo Automation Suite installations and identify any affected configurations listed in the advisory, including versions before 2.8.0.138 and installations using the referenced CODESYS Development System builds
- Upgrade to the latest patched CODESYS release obtained directly from the official CODESYS website and follow the vendor's installation and update instructions
- Update Festo Automation Suite to the latest available release and keep the FAS connector current as Festo releases updates
- Use CISA ICS recommended practices and defense-in-depth guidance to reduce exposure of engineering systems and limit authenticated access to only necessary users and networks
- Track vendor and CISA advisories for follow-on updates or clarifications affecting the same product family
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-076-01, which republishes the Festo SE & Co. KG advisory FSA-202601. The source lists affected product/version combinations, describes the invalid-address read leading to denial of service, and provides remediation guidance. The vendor field in the prompt is low confidence and appears normalized from Festo-related source material rather than a separate 'Unknown Vendor' product identity.
Official resources
-
CVE-2023-37554 CVE record
CVE.org
-
CVE-2023-37554 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Coordinated vendor disclosure, republished by CISA as ICSA-26-076-01 on 2026-02-26 and revised on 2026-03-17; the source indicates a vendor advisory origin and public remediation guidance.