PatchSiren cyber security CVE debrief
CVE-2023-37556 CODESYS CVE debrief
CVE-2023-37556 affects multiple versions of CODESYS-related products used with Festo Automation Suite. After successful authentication, crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid address, which may result in a denial-of-service condition. CISA published the advisory on 2026-02-26 and republished it on 2026-03-17.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS operators using Festo Automation Suite deployments that include CODESYS components, as well as engineers responsible for patching, validation, and change control in industrial environments.
Technical summary
The advisory describes an authenticated network-triggered flaw in the CmpAppBP component. The issue is tied to crafted requests with inconsistent content that can provoke an invalid internal read and potentially crash or disrupt the affected application. The source advisory lists affected Festo Automation Suite configurations below version 2.8.0.138 and related CODESYS Development System versions/components.
Defensive priority
Medium. The impact is availability-focused rather than direct code execution or data loss, but it affects industrial software and requires authenticated access, so patching and access control remain important.
Recommended defensive actions
- Upgrade to the latest patched CODESYS release referenced by the vendor guidance.
- Install Festo Automation Suite updates as they are released, and move to version 2.8.0.138 or later where the bundled CODESYS model changes.
- Review systems that use Festo Automation Suite with CODESYS Development System 3.0, 3.5.16.10, or 3.5.21.20 and verify whether they fall within the advisory scope.
- Limit authenticated access to engineering and control interfaces to only trusted users and networks.
- Monitor CODESYS and Festo security advisories and apply updates promptly after validation in an OT-safe maintenance window.
Evidence notes
The source corpus is a CISA CSAF republication of a Festo advisory (ICSA-26-076-01) with the CVE published on 2026-02-26 and modified on 2026-03-17. The advisory states that, after successful authentication, crafted network communication requests with inconsistent content can cause CmpAppBP to read from an invalid address, leading to denial of service. The provided source metadata ties affected products to Festo Automation Suite and CODESYS components, including versions below 2.8.0.138 and listed Development System versions. No KEV listing is present in the supplied data.
Official resources
-
CVE-2023-37556 CVE record
CVE.org
-
CVE-2023-37556 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA advisory ICSA-26-076-01 on 2026-02-26, with a CISA republication update on 2026-03-17.