Summary
3. TECHNICAL DETAILS
The following versions of CODESYS in Festo Automation Suite are affected:
- FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0) vers:all/*
- FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/*
- FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.0) vers:all/*
- FESTO Software Festo Automation Suite (2.8.0.137) installed with CODESYS Software CODESYS Development System (3.5.16.10) vers:all/*
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.8 | FESTO, CODESYS | CODESYS in Festo Automation Suite | Direct Request (‘Forced Browsing’), Untrusted Search Path, Improper Restriction of Operations within the Bounds of a Memory Buffer, Uncontrolled Recursion, Improper Access Control, Use of Insufficiently Random Values, Improper Restriction of Communication Channel to Intended Endpoints, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), NULL Pointer Dereference, Stack-based Buffer Overflow, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Incorrect Permission Assignment for Critical Resource, Improper Handling of Exceptional Conditions, Exposure of Resource to Wrong Sphere, Allocation of Resources Without Limits or Throttling, Use of a Broken or Risky Cryptographic Algorithm, Out-of-bounds Write, Weak Password Recovery Mechanism for Forgotten Password, Improper Privilege Management, Use of Password Hash With Insufficient Computational Effort, Buffer Access with Incorrect Length Value, Improper Input Validation, Improper Verification of Cryptographic Signature, Inadequate Encryption Strength, Origin Validation Error, Missing Release of Memory after Effective Lifetime, Improper Resource Shutdown or Release, Deserialization of Untrusted Data, Path Equivalence: ‘//multiple/leading/slash’, Insufficient Verification of Data Authenticity, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Missing Authentication for Critical Function, Out-of-bounds Read, Failure to Sanitize Special Elements into a Different Plane (Special Element Injection), Use of Out-of-range Pointer Offset, Improper Neutralization of Script in Attributes of IMG Tags in a Web Page, Files or Directories Accessible to External Parties, Untrusted Pointer Dereference, Path Traversal: ‘….’ (Multiple Dot), ASP.NET Misconfiguration: Missing Custom Error Page, Uncontrolled Resource Consumption, Unprotected Transport of Credentials, Initialization of a Resource with an Insecure Default, Heap-based Buffer Overflow, Unexpected Sign Extension, Buffer Over-read, Uncontrolled Search Path Element, Improper Verification of Source of a Communication Channel, Improper Restriction of Excessive Authentication Attempts, Use After Free, ASP.NET Misconfiguration: Password in Configuration File, Improper Check for Unusual or Exceptional Conditions, Observable Discrepancy, Incorrect Default Permissions |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Germany
Vulnerabilities
CVE-2025-2595
An unauthenticated remote attacker can bypass the user management in CODESYS Visualization and read visualization template files or static elements by means of forced browsing.
Affected Products
CODESYS in Festo Automation Suite
Vendor:
FESTO, CODESYS
FESTO, CODESYS
Product Version:
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software CODESYS Development System (3.0): vers:all/*, FESTO, CODESYS FESTO Software Festo Automation Suite (versions prior to 2.8.0.138) installed with CODESYS Software
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from All CISA Advisories
Read the original article: