PatchSiren cyber security CVE debrief
CVE-2023-37557 CODESYS CVE debrief
CVE-2023-37557 is an authenticated denial-of-service issue in CODESYS components used with Festo Automation Suite. According to the CISA CSAF advisory, crafted remote communication requests can make the CmpAppBP component overwrite a heap-based buffer, which can crash the affected service. The advisory was initially published by CISA on 2026-02-26 and later republished on 2026-03-17 from Festo’s original advisory.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS operators, plant engineers, and administrators running Festo Automation Suite or the listed CODESYS Development System versions should review exposure. This matters most where authenticated users can reach the affected remote communication interfaces.
Technical summary
The advisory identifies multiple affected Festo Automation Suite deployments involving bundled or external CODESYS Development System versions, including installs below 2.8.0.138 and specific pairings with CODESYS 3.0, 3.5.16.10, and 3.5.21.20. After successful user authentication, specially crafted remote communication requests can trigger a heap-based buffer overwrite in the CmpAppBP component, resulting in denial of service. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5).
Defensive priority
Medium-to-high. The score is medium, but the impact is availability loss in an industrial/operational context, so patching and exposure review should be prioritized for systems in production.
Recommended defensive actions
- Upgrade Festo Automation Suite to version 2.8.0.138 or later where applicable.
- Install the latest patched CODESYS release directly from the official CODESYS website, following vendor instructions.
- Review all Festo Automation Suite installations and confirm which systems use the affected CODESYS versions listed in the advisory.
- Keep the Festo Automation Suite connector and related updates current as Festo releases fixes.
- Monitor CISA, Festo, and CODESYS advisories for follow-on guidance and apply updates promptly.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-076-01 (published 2026-02-26, republished 2026-03-17), which republishes Festo SE & Co. KG advisory FSA-202601. The advisory text states that, after successful authentication, crafted remote communication requests can overwrite a heap-based buffer in CmpAppBP and cause denial of service. The remediation section says that from Festo Automation Suite 2.8.0.138 onward, CODESYS is no longer bundled and should be installed separately, with patched CODESYS obtained from the official CODESYS site.
Official resources
-
CVE-2023-37557 CVE record
CVE.org
-
CVE-2023-37557 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Initial CISA publication: 2026-02-26T08:00:00.000Z. CISA republication/update: 2026-03-17T06:00:00.000Z. The CISA advisory is a republication of Festo SE & Co. KG advisory FSA-202601.