ACCORDING to CISA's ICS Advisory "CODESYS in Festo Automation Suite," released on 17 March 2026, multiple vulnerabilities affecting CODESYS in FESTO Software Festo Automation Suite are disclosed, with CVSS base scores shown up to 9.8. The advisory lists affected products as FESTO Software Festo Automation Suite (versions prior to 2.8.0[.]138) installed with CODESYS Development System (3.0 or 3.5.16[.]10), and versions 2.8.0[.]137 also impacted, across various CVEs.
Mitigations include updating to version 2.8.0[.]138 or later, downloading the latest patched Codesys from its official site, and applying updates to the FAS connector as released by FESTO. The document also points to multiple CVEs such as CVE-2019-9008 through CVE-2021-29241, and notes that the vulnerabilities encompass issues ranging from forced browsing and memory corruption to unsafe deserialisation and inadequate input validation. For further guidance, the advisory references FSA-202601 and related CSAF resources.