PatchSiren cyber security CVE debrief
CVE-2023-37559 CODESYS CVE debrief
CVE-2023-37559 affects Festo Automation Suite deployments that include CODESYS components. After a user successfully authenticates, crafted network communication requests with inconsistent content can cause the CmpAppForce component to read from an invalid address and potentially deny service. The issue is availability-only, but that still matters in industrial environments where a service interruption can disrupt operations.
- Vendor
- CODESYS
- Product
- FESTO
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT/ICS administrators, Festo Automation Suite operators, and teams managing affected CODESYS Development System integrations, especially where authenticated users can reach the service over the network.
Technical summary
According to the CISA CSAF record, the issue occurs after successful user authentication in multiple CODESYS products and versions when specific crafted network requests with inconsistent content trigger an invalid internal read in CmpAppForce. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a network-reachable issue with low attack complexity, low privileges required, no user interaction, and high availability impact. The advisory says this vulnerability is different from CVE-2023-37558.
Defensive priority
Medium. Prioritize it sooner if the affected suite supports production or safety-relevant operations, because even authenticated misuse can interrupt availability in OT environments.
Recommended defensive actions
- Upgrade to Festo Automation Suite 2.8.0.138 or later and follow Festo's guidance for separating the CODESYS installation from the suite.
- Install the latest patched CODESYS release directly from the official CODESYS website, using the vendor's update instructions.
- Keep the Festo Automation Suite connector up to date by applying Festo-released updates.
- Limit access to affected services to trusted, authenticated users and place OT systems behind appropriate network segmentation.
- Monitor Festo, CERT-VDE, CODESYS, and CISA advisories for follow-on fixes or compatibility notes.
- Validate the deployed versions/components in your environment before and after remediation, and test changes in a staging OT environment where possible.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-076-01 republishing the Festo advisory FSA-202601, which names Festo Automation Suite and CODESYS product/version combinations and describes the authenticated network-request condition leading to an invalid read in CmpAppForce. The supplied prompt metadata has low-confidence vendor attribution, so the summary follows the advisory's named product family rather than the placeholder vendor field. The source also provides the CVSS vector and states the issue is different from CVE-2023-37558.
Official resources
-
CVE-2023-37559 CVE record
CVE.org
-
CVE-2023-37559 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied advisory on 2026-02-26, with a CISA republication update on 2026-03-17. The supplied record does not indicate KEV listing or ransomware association.