These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2022-31806 is a critical ICS weakness in CODESYS V2 PLCWinNT and Runtime Toolkit 32 versions prior to V2.4.7.57. The advisory states that password protection is not enabled by default and that there is no information or prompt at login to enable password protection when no password is set at the controller. CISA published the advisory on 2026-02-26 and republished it on 2026-03-17 as an initial republ [truncated]
CVE-2022-22514 is an authenticated remote memory-corruption issue described in CISA’s CSAF republication of the Festo advisory for Festo Automation Suite and related CODESYS components. The flaw can expose a dereferenced pointer in a request, which may lead to local overwriting of memory in CmpTraceMgr; the source corpus says the attacker cannot control the read values or the written values, but invalid m [truncated]
CVE-2022-22513 affects CODESYS components used in Festo Automation Suite. The advisory says an authenticated remote attacker can trigger a null pointer dereference in the CmpSettings component, causing a crash. The impact is availability-only, but crashes in OT environments can still disrupt operations.
CVE-2021-36764 is a network-triggerable denial-of-service issue in CODESYS Gateway V3 before 3.5.17.10. According to the advisory, crafted communication requests can trigger a NULL pointer dereference in affected CODESYS products. The source advisory is titled for CODESYS in Festo Automation Suite, and its remediation notes say Festo Automation Suite 2.8.0.138 no longer bundles CODESYS, with customers dir [truncated]
CVE-2021-36763 describes an information-disclosure issue in the CODESYS V3 web server: files or directories are accessible to external parties when running versions before 3.5.17.10. In the CISA-republished Festo advisory context, the issue is tied to Festo Automation Suite deployments that include CODESYS components, making patch level and installation model important for exposure reduction.
CVE-2021-33485 is a critical memory-corruption issue in CODESYS Control Runtime before 3.5.17.10. The supplied CISA CSAF advisory (ICSA-26-076-01) republishes vendor guidance for Festo Automation Suite environments that include affected CODESYS components. Because the CVSS vector is 9.8 with network access, no privileges, and no user interaction required, this should be treated as an urgent patching issue [truncated]
CVE-2021-29242 is a high-severity industrial control systems issue tied to CODESYS Control Runtime before 3.5.17.0. According to the CISA advisory and source description, an attacker able to send crafted communication packets could change the router’s addressing scheme and potentially reroute, add, remove, or modify low-level communication packages. The advisory is published in the context of Festo Automa [truncated]
CVE-2021-29241 is a high-severity availability issue affecting CODESYS Gateway 3 before version 3.5.16.70. In the advisory republished by CISA for Festo Automation Suite environments, the flaw is described as a NULL pointer dereference that may result in denial of service. The issue matters most for industrial and OT deployments where interruption of engineering or gateway services can disrupt operations. [truncated]
CVE-2020-7052 describes an availability issue in CODESYS components used with Festo Automation Suite. The advisory says affected CODESYS Control V3, Gateway V3, and HMI V3 versions before 3.5.15.30 can perform uncontrolled memory allocation, which may lead to a remote denial of service.
CVE-2020-15806 is a high-severity availability issue in the CODESYS Control runtime system before 3.5.16.10. In the CISA-republished Festo advisory, the affected context is Festo Automation Suite deployments that include CODESYS components. The source describes the flaw as uncontrolled memory allocation, with a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-exploitable denial [truncated]
CVE-2020-12068 is a privilege-escalation issue in CODESYS Development System before 3.5.16.0. The source advisory states that CODESYS WebVisu and CODESYS Remote TargetVisu are susceptible. In the CISA CSAF republication of Festo advisory FSA-202601, the exposure is also tied to Festo Automation Suite installations that bundled CODESYS before version 2.8.0.138.
CVE-2020-12067 is a high-severity password-management flaw in a CODESYS-based industrial engineering environment. The supplied advisory corpus describes an attacker changing a user’s password without knowing the current password, which can undermine account integrity and access control. The advisory was published on 2026-02-26 and revised on 2026-03-17. Because the supplied source metadata contains incons [truncated]
CVE-2020-10245 is a critical buffer overflow in the CODESYS V3 web server before 3.5.15.40. The official CISA advisory ties the issue to Festo Automation Suite environments that include CODESYS components, and recommends upgrading to patched CODESYS releases and keeping Festo’s connector/software current. Because the flaw is network-reachable and rated CVSS 9.8, exposed OT/ICS installations should treat it as urgent.
CVE-2019-9013 describes a transport-protection weakness in 3S-Smart CODESYS V3 products: the application may use non-TLS based encryption, which can leave user credentials insufficiently protected while they are in transit. The advisory says all variants of the listed CODESYS V3 products that include the CmpUserMgr component are affected, regardless of CPU type or operating system. CISA’s advisory assigns [truncated]
CVE-2019-9012 is a network-reachable denial-of-service issue affecting 3S-Smart CODESYS V3 products that include the CmpGateway component. According to the supplied CISA advisory, a crafted communication request can trigger uncontrolled memory allocations and may make the affected product unavailable. The advisory applies to all variants of the listed CODESYS V3 products prior to v3.5.14.20, regardless of [truncated]
CVE-2019-9011 is a low-complexity information disclosure issue that can let a remote attacker identify valid usernames in affected software. The supplied corpus ties the issue to a CISA-republished Festo advisory for CODESYS-related products, but the CVE description itself names Pilz PMC programming tool 3.x before 3.5.17, so product attribution should be verified before remediation.
CVE-2019-9010 is a critical authentication/authorization flaw in the CODESYS Gateway used by multiple CODESYS V3 products. According to the CISA CSAF advisory published on 2026-02-26 and updated on 2026-03-17, the gateway does not correctly verify ownership of a communication channel. The advisory says all variants of the listed CODESYS V3 products that include the CmpGateway component are affected in ver [truncated]
CVE-2019-9009 is a network-exploitable denial-of-service issue in 3S-Smart CODESYS before 3.5.15.0. According to the advisory corpus, crafted network packets can cause the Control Runtime to crash, which maps to high availability impact and no documented confidentiality or integrity impact in the supplied CVSS vector. For environments using Festo Automation Suite with bundled CODESYS components, this matt [truncated]
CVE-2019-9008 is a high-severity privilege-escalation issue affecting 3S-Smart CODESYS V3 through 3.5.12.30. According to the CISA-republished advisory, a user with low privileges can take full control of the runtime, which makes this especially important for industrial automation environments using affected CODESYS components.
CVE-2019-5105 is a remote, network-reachable memory corruption issue in the Name Service Client functionality used by CODESYS GatewayService. A specially crafted packet can trigger a large memcpy, leading to an access violation and termination of the GatewayService process. The supplied advisory scope is broad: CODESYS V3 products prior to V3.5.16.10 that include CmpRouter or CmpRouterEmbedded are affecte [truncated]
CVE-2019-18858 is a critical buffer overflow in the CODESYS 3 web server before 3.5.15.20. In the CISA CSAF advisory republished from Festo/CERT@VDE, the issue is tied to Festo Automation Suite deployments that include CODESYS components. Because the CVSS vector is network-based with no privileges or user interaction required, and the potential impact is high across confidentiality, integrity, and availab [truncated]
CVE-2019-13548 is a critical, network-reachable stack overflow affecting the CODESYS V3 web server. In the CISA advisory published on 2026-02-26 and republished on 2026-03-17, specially crafted HTTP or HTTPS requests are described as capable of causing a denial-of-service condition and potentially remote code execution. The advisory is tied to CODESYS in the Festo Automation Suite context, and the supplie [truncated]
CVE-2019-13532 affects the CODESYS V3 web server prior to version 3.5.14.10. In the supplied CISA advisory ICSA-26-076-01, specially crafted HTTP or HTTPS requests may allow access to files outside the controller's restricted working directory. The advisory was published on 2026-02-26 and republished on 2026-03-17. For Festo Automation Suite users, the remediation notes say CODESYS is no longer bundled st [truncated]
CVE-2010-5250 describes a local privilege-escalation risk caused by an untrusted search path in pthread_win32_process_attach_np inside pthreadGC2.dll. In the supplied CISA CSAF context, the issue is republished for Festo Automation Suite/CODESYS deployments and mitigated by moving to Festo Automation Suite 2.8.0.138 or later and applying the latest CODESYS fixes.
CVE-2023-26293 is a high-severity path traversal vulnerability in affected Totally Integrated Automation Portal (TIA Portal) versions used within Festo Didactic product environments. If a user is tricked into opening a malicious PC system configuration file, an attacker could create or overwrite arbitrary files in the engineering system and potentially achieve arbitrary code execution. The advisory was in [truncated]
CVE-2023-3634 is a high-severity issue in Festo’s MSE6 product-family. According to the CISA CSAF advisory published on 2023-09-05, a remote authenticated attacker with low privileges could use undocumented test-mode functions and cause a complete loss of confidentiality, integrity, and availability. Because the vulnerable capability is exposed through undocumented behavior rather than a conventional memo [truncated]
CVE-2021-23414 is a cross-site scripting issue described in the source advisory as affecting video.js before 7.14.3, where the src attribute of a track tag can bypass HTML escaping and allow arbitrary code execution. In the supplied CSAF record, this is associated with Festo LX Appliance and remediated through a Festo update path. The issue is network-reachable, requires user interaction, and is rated CVS [truncated]
CVE-2022-3270 is a critical Festo OT issue affecting a wide set of hardware and firmware products. According to the CISA CSAF advisory, a remote unauthenticated attacker could use functions of an undocumented protocol, potentially causing a complete loss of confidentiality, integrity, and availability. The supplied advisory data shows broad product impact and indicates the issue was first published on 202 [truncated]
CVE-2021-27500 is a denial-of-service issue in affected Festo devices using the EIPStackGroup OpENer EtherNet/IP stack. According to the CISA CSAF advisory, a specifically crafted packet can disrupt versions prior to 2021-02-10. The advisory covers multiple Festo SBRD-Q, SBOC-Q, and SBOI-Q product variants and states that no fix is planned, so mitigation depends on reducing exposure and disabling EtherNet [truncated]