CVE-2025-0694 CODESYS CVE debrief

Who should care

OT/ICS teams running Festo Automation Suite, especially systems that include CODESYS components, should review this issue. It is most relevant where physical access to engineering workstations or other affected systems is possible.

Technical summary

The supplied advisory describes insufficient path validation in CODESYS Control. In practical terms, the flaw can let a low-privileged attacker with physical access break out of the intended file path restrictions and access the full filesystem. The advisory maps the issue to CWE-22 and gives a CVSS v3.1 vector of AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (6.6).

Defensive priority

Medium. The attack requires physical access, but the potential impact is high because filesystem exposure can affect confidentiality, integrity, and availability on the affected system.

Recommended defensive actions

• Install the latest patched CODESYS release from the official CODESYS website.
• Follow the vendor's installation and update guidance so all security fixes are applied.
• Update the Festo Automation Suite connector using the latest Festo release.
• Check whether your environment uses the affected Festo Automation Suite/CODESYS combinations identified in the advisory.
• Restrict physical access to affected engineering or OT systems and monitor vendor security advisories closely.

Evidence notes

Facts are drawn from the supplied CISA CSAF advisory ICSA-26-076-01 and its referenced Festo/CERT-VDE materials. The record identifies the issue as 'CODESYS in Festo Automation Suite' and describes insufficient path validation with physical-access, low-privilege impact. The supplied vendor/product metadata is inconsistent, so attribution should be reviewed before external reporting.

Official resources