Back to Intelligence

Critical CODESYS Vulnerability in Festo Automation Suite: Immediate Protection Steps Required

SA
Security Arsenal Team
April 1, 2026
8 min read

Critical CODESYS Vulnerability in Festo Automation Suite: Immediate Protection Steps Required

A critical vulnerability (CVSS 9.8) in CODESYS within Festo Automation Suite requires immediate patching to prevent forced browsing attacks on OT environments.

Introduction

Industrial control systems (ICS) and operational technology (OT) environments are increasingly targeted by cyber adversaries seeking to disrupt critical infrastructure. The recent identification of a critical vulnerability in CODESYS integrated with Festo Automation Suite presents a significant risk to organizations utilizing these industrial automation solutions. This vulnerability, classified as "Direct Request" or "Forced Browsing," allows unauthorized access to sensitive functionality or data without proper authentication, potentially enabling attackers to manipulate industrial processes, steal proprietary automation logic, or establish a foothold for deeper attacks against OT networks.

Technical Analysis

The vulnerability affects CODESYS Development System versions 3.0 and 3.5.16.10 when integrated with Festo Automation Suite versions prior to 2.8.0.138. Specifically, version 2.8.0.137 and all earlier versions are affected.

With a CVSS v3 score of 9.8 (Critical), this vulnerability poses an urgent threat due to:

  • High Attack Complexity: Low requirements for exploitation
  • No Privileges Required: Attackers need no authentication
  • User Interaction: None required
  • Scope: Changed (impacts components beyond the vulnerable component)
  • High Impact: On confidentiality, integrity, and availability

The forced browsing vulnerability allows attackers to access functionality or data by directly requesting specific URLs or resources, bypassing security controls that would normally protect these resources. In an industrial context, this could include accessing configuration files, authentication credentials, or control interfaces for automation equipment.

Defensive Monitoring

SIGMA Rules

YAML
---
title: Suspicious CODESYS Process Execution
id: 6a2b3c4d-5e6f-7890-1234-567890abcdef
status: experimental
description: Detects execution of vulnerable CODESYS binaries that may be targeted in forced browsing attacks
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-01
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\CODESYS\'
    Image|endswith:
      - '\CODESYS.exe'
      - '\CoDeSys.exe'
      - '\GatewayService.exe'
    CommandLine|contains:
      - '-remote'
      - '-download'
      - '-upload'
  filter:
    ParentImage|contains:
      - '\Program Files (x86)\CODESYS\'
falsepositives:
  - Legitimate CODESYS development activities
level: medium
---
title: Network Connection to CODESYS Development System
id: 7b3c4d5e-6f78-9012-3456-7890abcdef12
status: experimental
description: Detects unusual network connections to CODESYS Development System components
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-01
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort|between: 
      - 1210
      - 1220
    Initiated: 'true'
    Image|contains:
      - '\CODESYS\'
  filter:
    SourceIp|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
falsepositives:
  - Authorized connections from management workstations
level: medium
---
title: Festo Automation Suite File Access Patterns
id: 8c4d5e6f-7890-1234-5678-901234567890
status: experimental
description: Detects file access patterns consistent with forced browsing attacks on Festo Automation Suite
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-076-01
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Festo Automation Suite\'
      - '\CODESYS\'
    TargetFilename|endswith:
      - '.pro'
      - '.project'
      - '.lib'
      - '.cfg'
      - '.xml'
  time:
    Timestamp|between:
      - '18:00:00'
      - '06:00:00'
  filter:
    Image|contains:
      - '\Festo Automation Suite\'
falsepositives:
  - Scheduled backup operations
level: high

KQL Queries for Microsoft Sentinel/Defender

KQL — Microsoft Sentinel / Defender
// Detect execution of vulnerable CODESYS versions
DeviceProcessEvents
| where FileName in~ ("CODESYS.exe", "CoDeSys.exe", "GatewayService.exe")
| where FolderPath has "CODESYS"
| where isnull(InitiatingProcessFileName) or InitiatingProcessFileName !has "CODESYS"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName
| sort by Timestamp desc

// Detect network connections to CODESYS ports
DeviceNetworkEvents
| where RemotePort between (1210 .. 1220)
| where InitiatingProcessFileName has "CODESYS"
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessAccountName
| sort by Timestamp desc

// Identify vulnerable Festo Automation Suite installations
DeviceFileEvents
| where FileName =~ "Festo Automation Suite.exe"
| extend FileVersion = tostring(parse_(AdditionalFields).FileVersion)
| where FileVersion !contains "2.8.0.138"
| project Timestamp, DeviceName, FolderPath, FileName, FileVersion, SHA1, SHA256
| distinct DeviceName, FolderPath, FileVersion

Velociraptor VQL Hunt Queries

VQL — Velociraptor
-- Hunt for vulnerable CODESYS installations
SELECT OSPath, Size, Mtime, Atime
FROM glob(globs="C:\\Program Files (x86)\\CODESYS\\*.exe")
WHERE Name =~ "CODESYS"
  OR Name =~ "GatewayService"

-- Check Festo Automation Suite version
SELECT OSPath, Size, Mtime
FROM glob(globs="C:\\Program Files\\Festo Automation Suite\\*")
WHERE Name =~ "Festo Automation Suite"

-- Hunt for CODESYS network activity
SELECT Timestamp, SourceIp, DestinationIp, DestinationPort
FROM watch_network_connection()
WHERE DestinationPort BETWEEN 1210 AND 1220
  AND ProcessName =~ "CODESYS"

-- Search for suspicious file access to CODESYS projects
SELECT Timestamp, UserName, Path, Operation
FROM file_history()
WHERE Path =~ "CODESYS"
  AND Path =~ "\\.pro$"
  AND Timestamp > now() - 24h

PowerShell Script for Remediation and Verification

PowerShell
<#
.SYNOPSIS
    Script to detect vulnerable versions of Festo Automation Suite with CODESYS
.DESCRIPTION
    Checks for vulnerable versions of Festo Automation Suite prior to 2.8.0.138 
    when installed with CODESYS Development System versions 3.0 or 3.5.16.10
.NOTES
    File Name      : Check-FestoCODESYSVuln.ps1
    Author         : Security Arsenal
    Prerequisite   : PowerShell 5.1 or later
#>

# Function to check if a file version is vulnerable
function Test-VulnerableVersion {
    param (
        [string]$VersionString,
        [string]$SafeVersion = "2.8.0.138"
    )
    
    try {
        $currentVersion = [System.Version]$VersionString
        $safeVersionObj = [System.Version]$SafeVersion
        
        if ($currentVersion -lt $safeVersionObj) {
            return $true
        }
    } catch {
        Write-Warning "Unable to parse version: $VersionString"
    }
    
    return $false
}

# Check for Festo Automation Suite
Write-Host "Checking for Festo Automation Suite installations..." -ForegroundColor Cyan
$festoPaths = @(
    "${env:ProgramFiles}\Festo Automation Suite",
    "${env:ProgramFiles(x86)}\Festo Automation Suite"
)

$vulnerableFound = $false

foreach ($path in $festoPaths) {
    if (Test-Path $path) {
        Write-Host "Found installation at: $path" -ForegroundColor Yellow
        
        # Get version information
        $exePath = Join-Path -Path $path -ChildPath "Festo Automation Suite.exe"
        if (Test-Path $exePath) {
            $versionInfo = (Get-Item $exePath).VersionInfo
            $fileVersion = $versionInfo.FileVersion
            
            Write-Host "Version: $fileVersion" -ForegroundColor White
            
            if (Test-VulnerableVersion -VersionString $fileVersion) {
                Write-Host "VULNERABLE: This version is affected by ICSA-26-076-01" -ForegroundColor Red
                $vulnerableFound = $true
            } else {
                Write-Host "Patched: This version is not affected" -ForegroundColor Green
            }
        }
        
        # Check for CODESYS installation
        $codesysPath = Join-Path -Path $path -ChildPath "CODESYS"
        if (Test-Path $codesysPath) {
            Write-Host "CODESYS detected at: $codesysPath" -ForegroundColor Yellow
            
            $codesysExe = Join-Path -Path $codesysPath -ChildPath "CODESYS.exe"
            if (Test-Path $codesysExe) {
                $versionInfo = (Get-Item $codesysExe).VersionInfo
                $fileVersion = $versionInfo.FileVersion
                
                Write-Host "CODESYS Version: $fileVersion" -ForegroundColor White
                
                # Check if it's a vulnerable version
                if ($fileVersion -like "3.0.*" -or $fileVersion -like "3.5.16.10*") {
                    Write-Host "POTENTIAL VULNERABILITY: This CODESYS version may be affected" -ForegroundColor Red
                    $vulnerableFound = $true
                }
            }
        }
    }
}

# Check for standalone CODESYS installations
Write-Host "`nChecking for standalone CODESYS installations..." -ForegroundColor Cyan
$codesysPaths = @(
    "${env:ProgramFiles}\CODESYS",
    "${env:ProgramFiles(x86)}\CODESYS"
)

foreach ($path in $codesysPaths) {
    if (Test-Path $path) {
        Write-Host "Found CODESYS installation at: $path" -ForegroundColor Yellow
        
        $codesysExe = Join-Path -Path $path -ChildPath "CODESYS.exe"
        if (Test-Path $codesysExe) {
            $versionInfo = (Get-Item $codesysExe).VersionInfo
            $fileVersion = $versionInfo.FileVersion
            
            Write-Host "CODESYS Version: $fileVersion" -ForegroundColor White
            
            # Check if it's a vulnerable version
            if ($fileVersion -like "3.0.*" -or $fileVersion -like "3.5.16.10*") {
                Write-Host "POTENTIAL VULNERABILITY: This CODESYS version may be affected when used with Festo Automation Suite" -ForegroundColor Red
                $vulnerableFound = $true
            }
        }
    }
}

# Generate report
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "VULNERABILITY SCAN SUMMARY" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan

if ($vulnerableFound) {
    Write-Host "VULNERABLE INSTALLATIONS FOUND" -ForegroundColor Red
    Write-Host "Action Required: Update to Festo Automation Suite version 2.8.0.138 or later" -ForegroundColor Yellow
    exit 1
} else {
    Write-Host "NO VULNERABLE INSTALLATIONS FOUND" -ForegroundColor Green
    Write-Host "Recommendation: Continue regular patching and monitoring" -ForegroundColor Green
    exit 0
}

Remediation

To protect your organization against this critical vulnerability, follow these steps:

  1. Immediate Patching

    • Update Festo Automation Suite to version 2.8.0.138 or later
    • Download the latest version from the official Festo portal

  2. Network Segmentation

    • Isolate CODESYS and Festo Automation Suite systems from untrusted networks
    • Implement strict firewall rules limiting access to CODESYS ports (1210-1220)
    • Use jump servers with multi-factor authentication for remote access

  3. Access Control

    • Implement the principle of least privilege for all user accounts
    • Require multi-factor authentication for all remote access to OT systems
    • Regularly review and audit access rights

  4. Monitoring and Detection

    • Deploy the provided SIGMA rules in your SIEM
    • Implement the KQL queries in Microsoft Sentinel/Defender
    • Set up alerts for suspicious CODESYS-related activities

  5. Backup and Recovery

    • Ensure you have recent, offline backups of automation configurations
    • Test restoration procedures for critical systems

  6. Patch Management

    • Establish a regular vulnerability scanning program for OT systems
    • Create a process for quickly deploying critical security updates
    • Consider implementing a patch management system specifically for ICS/OT

  7. Security Awareness

    • Train OT personnel on the risks of forced browsing attacks
    • Implement security awareness programs tailored to industrial control system environments

  8. Incident Response

    • Update your incident response plan to include specific procedures for ICS/OT incidents
    • Conduct regular tabletop exercises simulating attacks against industrial control systems

  9. Compensating Controls (if immediate patching isn't possible)

    • Temporarily restrict remote access to CODESYS interfaces
    • Implement additional network controls such as application-level gateways
    • Increase monitoring frequency for the affected systems

  10. Verification

    • Use the provided PowerShell script to verify the patch status across your environment
    • Conduct vulnerability scans after patching to confirm remediation

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchwindowsmicrosoftot-securityics-scadacritical-infrastructure

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action