ICSA-25-273-04 · Published 2025-11-13 · View on CISA ICS-CERT ↗

Festo Controller CECC-S,-LK,-D Family Firmware (Update A)

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to crash services, escalate privileges, bypass authentication, or gain unauthorized access to sensitive systems and data.

CVEs (33)

CVE-2022-22515 CVE-2022-22514 CVE-2022-22513 CVE-2021-36763 CVE-2021-33485 CVE-2020-10245 CVE-2019-9008 CVE-2019-18858 CVE-2019-13548 CVE-2019-13542 CVE-2020-15806 CVE-2019-9009 CVE-2019-9011 CVE-2019-9013 CVE-2020-12067 CVE-2020-12069 CVE-2021-36764 CVE-2019-9012 CVE-2020-7052 CVE-2019-5105 CVE-2021-29241 CVE-2021-29242 CVE-2022-22519 CVE-2022-22517 CVE-2019-13532 CVE-2018-20025 CVE-2018-0739 CVE-2018-10612 CVE-2017-3735 CVE-2010-5250 CVE-2020-12068 CVE-2019-9010 CVE-2018-20026

Remediations

Festo has identified the following specific workarounds and mitigations users can apply to reduce risk:
(CVE-2020-12068, CVE-2022-22515, CVE-2022-22514, CVE-2022-22513, CVE-2021-36763, CVE-2021-33485, CVE-2020-10245, CVE-2020-15806, CVE-2019-9011, CVE-2019-9013, CVE-2020-12067, CVE-2020-12069, CVE-2021-36764, CVE-2019-5105, CVE-2021-29241, CVE-2021-29242, CVE-2022-22519, CVE-2022-22517, CVE-2018-0739) (Product Group: Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-D(All versions), Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-LK(All versions), Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-S(All versions)): No fix planned. This issue will be handled with next hardware generation release.
The following product versions have been fixed:
For more information see the associated Festo SE & Co. KG security advisory FSA-202202 FSA-202202: Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system - HTML, FSA-202202: Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system - CSAF.
(CVE-2018-20026, CVE-2019-9010¸ CVE-2010-5250, CVE-2019-9008, CVE-2019-18858, CVE-2019-13548, CVE-2019-13542, CVE-2019-9009, CVE-2019-9012, CVE-2020-7052, CVE-2019-13532, CVE-2018-20025, CVE-2018-10612, CVE-2017-3735) (Product Group: Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-D(All versions), Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-LK(All versions), Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-S(All versions)): Update to version 2.4.2.0. This also fixes CODESYS Advisory 2017-01, CODESYS Advisory 2017-03, CODESYS Advisory 2017-06, CODESYS Advisory 2017-07, CODESYS Advisory 2017-09, CODESYS Advisory 2018-04, CODESYS Advisory 2018-05, CODESYS Advisory 2018-07, CODESYS Advisory 2018-11.
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-9008
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-9008
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-18858
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-18858
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-13548
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-13548
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-13542
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-13542
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-9009
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-9009
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-9012
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-9012
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2020-7052
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2020-7052
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-13532
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-13532
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2018-20025
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2018-20025
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2018-0739
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2018-0739
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2018-10612
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2018-10612
Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2017-3735
Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2017-3735

Affected Vendors

Festo

Affected Products (6)

Festo · Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-D (All versions) vers:all/*

Festo · Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-LK (All versions) vers:all/*

Festo · Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-S (All versions) vers:all/*

Festo · Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-LK (All versions) vers:all/*

Festo · Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-S (All versions) vers:all/*

Festo · Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-S (All versions) vers:all/*

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more