All news with #festo tag

Festo MSE6 Devices: Hidden Test-Mode Vulnerability

⚠️ Festo disclosed a hidden test‑mode vulnerability in the MSE6 product family that could be abused by a remote, authenticated low‑privileged attacker. The issue, tracked as CVE-2023-3634, carries a CVSS v3.1 score of 8.8 and may permit complete loss of confidentiality, integrity, and availability. Festo plans documentation updates in the next product release; CISA recommends isolating devices, minimizing network exposure, and using firewalls and secured VPNs as mitigations.

Festo Didactic: TIA Portal Path Traversal Vulnerability

🔒 Festo reported a path traversal vulnerability in Siemens TIA Portal (V15–V18) as deployed on Festo Didactic hardware. Tracked as CVE-2023-26293 with a CVSS v3.1 base score of 7.8, the flaw can allow creation or overwriting of arbitrary files and could lead to arbitrary code execution if a user opens a crafted project file. The issue requires user interaction and is not remotely exploitable; Festo and CISA recommend applying Siemens updates and following standard protections against malicious files and social engineering.

CISA Releases 18 Industrial Control Systems Advisories

🔔 CISA released 18 Industrial Control Systems (ICS) advisories addressing security flaws across a broad set of vendors and product families. The advisories cover firmware, application software, and cloud services used in operational technology and industrial environments, including products from Siemens, Rockwell Automation, AVEVA, and Mitsubishi Electric. Administrators should review the advisories for technical details and apply vendor mitigations, patches, and compensating controls promptly to reduce risk to availability and safety.

Festo EtherNet/IP Firmware Vulnerabilities — High Risk

⚠️ Festo devices running affected EtherNet/IP firmware are vulnerable to multiple remotely exploitable issues, including incorrect numeric conversions, out-of-bounds reads, and reachable assertions that can lead to denial-of-service or data disclosure. Combined CVSS scores reach up to 8.2, and successful exploitation requires low attack complexity. Festo reports no planned fixes; CISA advises minimizing network exposure, disabling EtherNet/IP when unused, isolating control networks, and using secure remote access such as up-to-date VPNs. Organizations should limit exposure, monitor EtherNet/IP activity, and report suspected incidents.

CISA Publishes Ten New ICS Advisories — Sept 30, 2025

🔔 On September 30, 2025, CISA released ten Industrial Control Systems advisories summarizing current security issues, vulnerabilities, and known exploits affecting a range of ICS products. The advisories cover MegaSys Enterprises, multiple Festo devices, OpenPLC_V3, National Instruments Circuit Design Suite, LG Innotek cameras, and updates for Keysight Ixia, HEIDENHAIN, and Rockwell Automation. Administrators are urged to review the technical details and apply recommended mitigations promptly to reduce operational risk.

Festo CPX-CEC-C1 and CPX-CMXX Privilege Flaw — Remote

⚠️ Festo CPX-CEC-C1 and CPX-CMXX devices contain an improper privilege management vulnerability (CWE-269) that permits unauthenticated remote access to critical webserver functions and may cause a denial of service. The issue is identified as CVE-2022-3079 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/A:H). Festo currently has no firmware fix planned; recommended mitigations include restricting access to TCP port 80 and replacing affected units with specified follow-up products.

Festo CECC Controller Firmware Vulnerabilities and Fixes

⚠️ Festo firmware for Controller CECC-S, -LK, and -D families contains multiple vulnerabilities (aggregate CVSS up to 9.8) in the integrated CODESYS V3 runtime and related components. Affected releases include R05 (2.3.8.0) and R06 (2.3.8.1); Festo advises updating affected units to firmware 2.4.2.0 where fixes are provided. Exploitable issues may enable remote code execution, denial-of-service, privilege escalation, or unauthorized access. CISA recommends isolating control networks, restricting remote exposure, and applying vendor guidance and mitigations while performing appropriate risk analysis.