PatchSiren cyber security CVE debrief
CVE-2023-3935 Wibu CVE debrief
CVE-2023-3935 is a critical remote code execution vulnerability tied to Festo Automation Suite installations that include CODESYS components. The advisory states that a heap buffer overflow in the Wibu CodeMeter Runtime network service can let an unauthenticated remote attacker gain full host access, so exposed systems should be prioritized for immediate review and patching.
- Vendor
- Wibu
- Product
- FESTO
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-03-17
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-03-17
Who should care
OT and industrial automation teams using Festo Automation Suite, CODESYS administrators, system integrators, and defenders responsible for Windows or network-exposed engineering workstations and related host systems.
Technical summary
The source advisory describes a heap buffer overflow in the Wibu CodeMeter Runtime network service, affecting versions up to 7.60b. The reported impact is network-reachable, unauthenticated RCE with full host compromise potential, matching CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8). The remediation notes indicate that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be installed separately, which changes the update path for affected deployments.
Defensive priority
Immediate
Recommended defensive actions
- Identify all systems running Festo Automation Suite and determine whether they include bundled CODESYS / Wibu CodeMeter Runtime components.
- Prioritize patching or upgrading to Festo Automation Suite 2.8.0.138 or later where applicable.
- Install the latest patched CODESYS release from the official CODESYS website and follow vendor update guidance.
- Verify whether any affected hosts expose the relevant network service beyond trusted management networks and restrict exposure where possible.
- Monitor vendor and CISA advisories for follow-on updates and confirm remediation across all engineering workstations and related host systems.
- Reassess asset inventory and dependency management because the bundled component model changes after 2.8.0.138.
Evidence notes
The advisory source is CISA's republication of a Festo SE & Co. KG advisory (ICSA-26-076-01). The source metadata explicitly links CVE-2023-3935 to Festo Automation Suite product entries and states the vulnerable component is Wibu CodeMeter Runtime network service up to version 7.60b. The prompt's vendor field is low-confidence and appears inconsistent with the advisory title; the evidence in the supplied corpus supports Festo/CODESYS rather than the placeholder vendor mapping.
Official resources
-
CVE-2023-3935 CVE record
CVE.org
-
CVE-2023-3935 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA first published the advisory on 2026-02-26 and republished it on 2026-03-17 with the initial CISA republication of the Festo advisory. The supplied corpus does not indicate KEV inclusion or a known ransomware campaign.