Defending Against Critical CODESYS Forced Browsing Flaws in Festo Automation Suite

Operational Technology (OT) environments rely heavily on automation software to keep critical infrastructure running. When these foundational tools are exposed to severe vulnerabilities, the potential for disruption escalates quickly.

Recently, CISA released advisory ICSA-26-076-01 regarding a critical vulnerability in the CODESYS Development System V3, specifically as it is integrated within the Festo Automation Suite. This flaw, classified as a "Direct Request" or "Forced Browsing" vulnerability, allows attackers to bypass security checks by directly accessing specific URLs or file paths.

For defenders, understanding this risk is paramount. A CVSS score of 9.8 (Critical) means this vulnerability is remotely exploitable with low complexity and requires no privileges or user interaction. If left unpatched, malicious actors could manipulate automation logic or access sensitive information on engineering workstations.

Technical Analysis

Vulnerability: Direct Request (Forced Browsing) Advisory ID: ICSA-26-076-01 CVSS Score v3: 9.8 (Critical) Affected Vendor: FESTO, CODESYS

The vulnerability exists in the CODESYS web server components integrated with Festo Automation Suite. Forced Browsing attacks occur when an application fails to restrict access to specific resources (like configuration files, administration panels, or backend APIs) that are not intended for public access. By guessing or enumerating URLs, an attacker can invoke these functions directly, bypassing the application's front-end security controls.

Affected Products

The following specific combinations of Festo Automation Suite and CODESYS Development System are vulnerable:

• FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0) vers:all/*
• FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/*
• FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0) vers:all/*
• FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/*

The Fix

Festo has addressed this issue in Festo Automation Suite version 2.8.0.138. Updating to this version removes the exploitable condition introduced by the underlying CODESYS components.

Defensive Monitoring

To effectively defend against this vulnerability, security teams must identify assets running the affected software versions. Since Festo Automation Suite is typically installed on engineering workstations rather than servers, traditional network scanning may miss isolated instances.

Use the following scripts and queries to audit your environment for vulnerable installations.

PowerShell: Check Installed Version

This PowerShell script queries the Windows Registry for installed instances of Festo Automation Suite and checks if the version is below the safe threshold (2.8.0.138).

# Check for vulnerable Festo Automation Suite installations

$VulnerableVersions = @(
    "2.8.0.137"
    # Logic: Any version strictly less than 2.8.0.138 is considered vulnerable based on the advisory
)

$SafeVersion = [System.Version]"2.8.0.138"

# Check Uninstall Registry Keys
$RegPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
    "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
)

$InstalledApps = Get-ItemProperty $RegPaths -ErrorAction SilentlyContinue | 
    Where-Object { $_.DisplayName -like "*Festo Automation Suite*" }

if ($InstalledApps) {
    foreach ($App in $InstalledApps) {
        try {
            $CurrentVersion = [System.Version]$App.DisplayVersion
            if ($CurrentVersion -lt $SafeVersion) {
                Write-Host "[ALERT] Vulnerable Version Found:" -ForegroundColor Red
                Write-Host "Computer: $env:COMPUTERNAME"
                Write-Host "Application: $($App.DisplayName)"
                Write-Host "Version: $($App.DisplayVersion)"
                Write-Host "Install Path: $($App.InstallLocation)"
            }
            else {
                Write-Host "[OK] Safe Version Found: $($App.DisplayName) - $($App.DisplayVersion)" -ForegroundColor Green
            }
        }
        catch {
            Write-Host "[WARN] Could not parse version for $($App.DisplayName)"
        }
    }
}
else {
    Write-Host "No Festo Automation Suite installations found."
}

KQL: Microsoft Defender / Sentinel Detection

If you are using Microsoft Defender for Endpoint or Sentinel with Threat and Vulnerability Management (TVM), you can query the software inventory to locate machines running vulnerable versions of Festo Automation Suite.

// Hunt for vulnerable Festo Automation Suite versions
DeviceTvmSoftwareInventory
| where SoftwareName has "Festo Automation Suite"
| extend CurrentVersion = toreal(SoftwareVersion)
| // Assuming standard version formatting, filter for versions < 2.8.0.138
// Note: Version parsing logic may need adjustment based on raw string format in your environment
where CurrentVersion < 2.8.0.138 
| project DeviceName, DeviceId, SoftwareName, SoftwareVersion, OSPlatform
| order by DeviceName asc

Remediation

Given the Critical severity (CVSS 9.8), remediation should be treated as an emergency action plan, especially for internet-facing systems or those connected to critical ICS networks.

1. Immediate Patching

• Download and install Festo Automation Suite version 2.8.0.138 or newer immediately.
• Ensure the update is applied to all engineering workstations and laptops used by OT personnel.

2. Network Segmentation

• If patching is delayed, ensure that engineering workstations running Festo Automation Suite are not directly accessible from the internet.
• Restrict access to the web server interfaces of the automation software via firewall rules, allowing access only from necessary internal subnets.

3. Verification

• After updating, re-run the PowerShell script provided above to confirm the version is now reported as Safe (>= 2.8.0.138).
• Monitor for unusual outbound connections or unauthorized access attempts on ports associated with the software in your SIEM.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub