Back to Intelligence

How to Mitigate Critical CODESYS Vulnerability in Festo Automation Suite

SA
Security Arsenal Team
March 24, 2026
4 min read

Introduction

A critical security vulnerability has been identified in the Festo Automation Suite stemming from an issue within the integrated CODESYS Development System. Tracked by CISA under advisory ICSA-26-076-01, this vulnerability poses a severe risk to industrial environments due to its high CVSS v3 score of 9.8.

For security teams, this type of vulnerability—known as Direct Request or Forced Browsing—is particularly concerning. It potentially allows attackers to bypass standard UI controls and directly access restricted URLs or endpoints. If left unpatched, malicious actors could exploit this to manipulate logic or extract sensitive data from automation systems that rely on this software. Immediate verification and remediation are essential to maintaining the integrity of operational technology (OT) assets.

Technical Analysis

The vulnerability resides in specific versions of the Festo Automation Suite that ship with the CODESYS Development System V3.0 or V3.5.16.10. The flaw is classified as CWE-425: Direct Request ('Forced Browsing').

Affected Products

The following configurations are confirmed vulnerable:

  • FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0).
  • FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10).
  • FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0) or (3.5.16.10).

Severity

  • CVSS v3 Score: 9.8 (CRITICAL)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The "Critical" rating indicates that exploitation is relatively straightforward (low attack complexity) and requires no privileges or user interaction, making it a prime target for automated scanners or opportunistic malware.

Defensive Monitoring

Detecting unpatched versions of specialized engineering software like Festo Automation Suite requires checking the installed file versions against known bad versions. The following scripts and queries can help security teams identify vulnerable assets within their environment.

PowerShell Script for Version Verification

This PowerShell script queries the Windows Registry for installed Festo software and compares the version against the vulnerable thresholds. It is designed to be run locally on engineering workstations or via a configuration management tool.

Script / Code
# Check for vulnerable Festo Automation Suite versions

$vulnerableThreshold = [version]"2.8.0.137"
$vulnerableBuild = "2.8.0.137"

Write-Host "Scanning for Festo Automation Suite..." -ForegroundColor Cyan

$installedApps = Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" 

$festoApps = $installedApps | Where-Object { $_.DisplayName -like "*Festo Automation Suite*" }

if ($festoApps) {
    foreach ($app in $festoApps) {
        $version = [version]$app.DisplayVersion
        Write-Host "Found: $($app.DisplayName) - Version: $($app.DisplayVersion)" -ForegroundColor Yellow

        # Logic: Versions prior to 2.8.0.138 are vulnerable. 
        # Also specifically check for 2.8.0.137 if strict matching is required by advisory.
        if ($version -lt [version]"2.8.0.138") {
            Write-Host "[ALERT] Vulnerable version detected." -ForegroundColor Red
        } else {
            Write-Host "[OK] Version appears patched." -ForegroundColor Green
        }
    }
} else {
    Write-Host "No Festo Automation Suite installations found." -ForegroundColor Gray
}

KQL Query for Microsoft Sentinel/Defender

Use this KQL query to hunt for devices running processes associated with Festo or CODESYS. Note that specific software inventory data is required for precise versioning; this query helps identify the existence of the software in the environment for follow-up.

Script / Code
// Identify devices running Festo or CODESYS processes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("CODESYS.exe", "FestoAutomationSuite.exe", "GatewayService.exe") 
        or ProcessVersionInfoOriginalFileName =~ "CODESYS*"
| project DeviceName, DeviceId, AccountName, FileName, FolderPath, Timestamp
| distinct DeviceName, FileName
| summarize Count=count() by DeviceName
| order by Count desc

Remediation

To protect your organization against this vulnerability, security and operations teams must immediately prioritize patching the affected systems.

  1. Update Immediately: Update the Festo Automation Suite to version 2.8.0.138 or later. This update addresses the underlying CODESYS component vulnerabilities.
  2. Verify Component Versions: After updating the suite, ensure that the bundled CODESYS Development System is no longer running the vulnerable versions (3.0 or 3.5.16.10) as specified in the advisory.
  3. Network Segmentation: Ensure that engineering workstations running this software are isolated from the internet and segregated from critical ICS/OT networks via a DMZ or firewall. Restrict access to these workstations using jump hosts.
  4. Review Access Logs: If the software was exposed to untrusted networks prior to patching, review logs for signs of forced browsing or unauthorized API calls.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchwindowsmicrosoftics-securityot-securitypatch-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action