PatchSiren cyber security CVE debrief
CVE-2023-37555 CODESYS CVE debrief
CVE-2023-37555 is a medium-severity availability issue in CODESYS components used with Festo Automation Suite. After successful authentication, specially crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially resulting in denial of service. The advisory explicitly says this issue is different from CVE-2023-37552, CVE-2023-37553, CVE-2023-37554, and CVE-2023-37556.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS operators, plant engineers, and administrators responsible for Festo Automation Suite installations that include CODESYS components, especially teams that manage authentication, patching, and uptime for engineering or automation environments.
Technical summary
CISA’s CSAF advisory ICSA-26-076-01 was published on 2026-02-26 and republished on 2026-03-17. It describes multiple CODESYS product versions used in Festo Automation Suite, including configurations involving bundled CODESYS Development System 3.0 and 3.5.16.10, as well as related 2.8.0.137/2.8.0.138 entries. A user who has already authenticated can send crafted network requests with inconsistent content that cause the CmpAppBP component to read internally from an invalid address, which can disrupt service availability. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5), and the source maps the weakness to CWE-20.
Defensive priority
High for affected industrial environments because the issue is network-triggerable after authentication and can take down an availability-critical component. Prioritize patching and asset verification for any Festo Automation Suite deployment that includes CODESYS.
Recommended defensive actions
- Identify whether any Festo Automation Suite deployment in your environment includes the CODESYS components named in the advisory.
- Install the latest patched version of CODESYS directly from the official CODESYS website.
- Follow the CODESYS installation and update instructions so the available security fixes are actually applied.
- Keep the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.
- Monitor CODESYS and Festo security advisories and apply updates promptly.
- Use CISA ICS recommended practices to reduce exposure and limit the impact of a denial-of-service event.
Evidence notes
This debrief is based on the supplied CISA CSAF source item for ICSA-26-076-01 and its linked official references. The source description states that, after successful authentication, crafted network communication requests with inconsistent content can cause CmpAppBP to read from an invalid address and potentially cause denial of service. The advisory dates in the provided record are 2026-02-26 (published) and 2026-03-17 (modified/republished). The source also states the issue is distinct from CVE-2023-37552, CVE-2023-37553, CVE-2023-37554, and CVE-2023-37556. No KEV entry is present in the supplied enrichment.
Official resources
-
CVE-2023-37555 CVE record
CVE.org
-
CVE-2023-37555 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The supplied record shows CISA published the advisory on 2026-02-26 and republished it on 2026-03-17. The enrichment supplied for this CVE does not list it in CISA KEV.