ICSA-25-329-05 · Published 2025-11-25 · View on CISA ICS-CERT ↗

Festo Compact Vision System, Control Block, Controller, and Operator Unit products

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could result in an attacker accessing devices without authentication or modifying configuration files.

CVEs (2)

CVE-2022-22515 CVE-2022-31806

Remediations

Festo has identified the following specific workarounds and mitigations users can apply to reduce risk:
For CVE-2022-22515: Using the online user management prevents an attacker from downloading and executing malicious code, but also suppresses start, stop, debug, or other actions on a known working application that could potentially disrupt a machine or system.
For more information see the associated Festo SE & Co. KG security advisory FSA-202208 FSA-202208: Festo: Multiple Festo products contain an unsafe default Codesys configuration - HTML, FSA-202208: Festo: Multiple Festo products contain an unsafe default Codesys configuration - CSAF.
For CVE-2022-31806: Enable password protection at login in case no password is set at the controller. Please note that the password configuration file is not covered via default FFT backup & Restore mechanism, you must select the related file manually.

Affected Vendors

Festo

Affected Products (33)

Festo · Festo Software Compact Vision System SBO-Q- vers:all/*

Festo · -Q- -Q-

Festo · Festo Software Control block CPX-CEC-C1 Codesys V2 vers:all/*

Festo · Festo Software Control block CPX-CEC-C1-V3 Codesys V3 vers:all/*

Festo · Festo Software Control block CPX-CEC Codesys V2 vers:all/*

Festo · Festo Software Control block CPX-CEC-M1 Codesys V2 vers:all/*

Festo · Festo Software Control block CPX-CEC-M1-V3 Codesys V3 vers:all/*

Festo · Festo Software Control block CPX-CEC-S1-V3 Codesys V3 vers:all/*

Festo · Festo Software Control block CPX-CMXX vers:all/*

Festo · Festo Software Controller CECC-D vers:all/*

Festo · Festo Software Controller CECC-D-BA vers:all/*

Festo · Festo Software Controller CECC-D-CS vers:all/*

Festo · Festo Software Controller CECC-LK vers:all/*

Festo · Festo Software Controller CECC-S vers:all/*

Festo · Festo Software Controller CECC-X-M1 vers:all/*

Festo · Festo Software Controller CECC-X-M1-MV vers:all/*

Festo · Festo Software Controller CECC-X-M1-S1 vers:all/*

Festo · Festo Software Controller CECX-X-C1 vers:all/*

Festo · Festo Software Controller CECX-X-M1 vers:all/*

Festo · Festo Software Controller CPX-E-CEC-C1 vers:all/*

Festo · Festo Software Controller CPX-E-CEC-C1-EP vers:all/*

Festo · Festo Software Controller CPX-E-CEC-C1-PN vers:all/*

Festo · Festo Software Controller CPX-E-CEC-M1 vers:all/*

Festo · Festo Software Controller CPX-E-CEC-M1-EP vers:all/*

Festo · Festo Software Controller CPX-E-CEC-M1-PN vers:all/*

Festo · Festo Software Controller FED-CEC vers:all/*

Festo · Festo Software Operator unit CDPX-X-A-S-10 vers:all/*

Festo · Festo Software Operator unit CDPX-X-A-W-13 vers:all/*

Festo · Festo Software Operator unit CDPX-X-A-W-4 vers:all/*

Festo · Festo Software Operator unit CDPX-X-A-W-7 vers:all/*

Festo · Festo Software Operator unit CDPX-X-E1-W-10 vers:all/*

Festo · Festo Software Operator unit CDPX-X-E1-W-15 vers:all/*

Festo · Festo Software Operator unit CDPX-X-E1-W-7 vers:all/*

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more