Advisories | CERT@VDE

1 (current)
2

2023-09-05 12:00 VDE-2023-020

Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions

Incomplete user documentation of undocumented, authenticated test mode and further remote accessible functions. The supported features may be covered only partly by the corresponding user documentation.

Festo developed the products according to the respective state of the art. As a result, the protocols used no longer fully meet today's security requirements. The products are designed and developed for use in sealed-off (industrial) networks. If the network is not adequately sealed off, unauthorized access to the product can cause damage or malfunctions, particularly Denial of Service (DoS) or loss of integrity.

CVE-2023-3634: 8.8

2022-12-13 12:50 VDE-2022-038

Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products

A vulnerability was reported in WIBU-SYSTEMS CodeMeter Runtime.
WIBU-SYSTEMS CodeMeter Runtime is part of the installation packages of several Festo products.
FluidDraw < 6.2c and CIROS <= 7.0.6 contain a vulnerable version of WIBU-SYSTEMS CodeMeter Runtime.

CVE-2021-41057: 7.1

2022-11-29 12:49 VDE-2022-041

Festo: Incomplete documentation of remote accessible functions and protocols in Festo products (Update A)

Incomplete Festo product documentation of remote accessible functions and their required IP ports. Depending on the product a description of the supported features can be found in the product documentation to some extent.

Update A, 2022-12-13

Added affected device "Bus module CPX-E-PN, 4080497"

CVE-2022-3270: 9.8

2022-11-29 12:41 VDE-2022-037

Festo: Multiple Festo products contain an unsafe default Codesys configuration

The products are shipped with an unsafe configuration of the integrated CODESYS Runtime
environment. In this case no default password is set to the CODESYS PLC and therefore access
without authentication is possible.

With a successful established connection to the CODESYS Runtime the PLC-Browser commands are
available. Thus granting the possibilities to e.g. read and modify the configuration file(s), start/stop
the application and reboot the device.

CVE-2022-31806: 9.8

CVE-2022-22515: 8.1

2022-09-20 12:00 VDE-2022-036

Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function UPDATE A

UPDATE A (19.10.2022): Added Control block-Set CPX-CEC-C1 and Control block-SET
CPX-CMXX to affected products.

Unauthenticated access to critical webpage functions (e.g. reboot) may cause a denial of service of the device.

CVE-2022-3079: 7.5

2022-07-18 12:00 VDE-2022-022

Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system

The Festo controller CECC product family is affected by multiple vulnerabilities in the CODESYS V3 runtime.

CVE-2019-13548: 9.8

CVE-2019-18858: 9.8

CVE-2021-33485: 9.8

CVE-2019-9010: 9.8

CVE-2018-10612: 9.8

CVE-2020-10245: 9.8

CVE-2019-9008: 8.8

CVE-2019-9013: 8.8

CVE-2022-22515: 8.1

CVE-2021-36764: 7.5

CVE-2020-15806: 7.5

CVE-2018-20025: 7.5

CVE-2018-20026: 7.5

CVE-2019-13532: 7.5

CVE-2021-36763: 7.5

CVE-2022-22517: 7.5

CVE-2022-22519: 7.5

CVE-2021-29241: 7.5

CVE-2019-5105: 7.5

CVE-2019-9012: 7.5

CVE-2019-9009: 7.5

CVE-2021-29242: 7.3

CVE-2022-22514: 7.1

CVE-2010-5250: 6.9

CVE-2022-22513: 6.5

CVE-2018-0739: 6.5

CVE-2019-13542: 6.5

CVE-2020-7052: 6.5

CVE-2020-12068: 6.5

CVE-2017-3735: 5.3

CVE-2019-9011: n/a

CVE-2020-12067: n/a

CVE-2020-12069: n/a

2022-07-18 12:00 VDE-2022-027

Festo: Controller CECC-S,LK,D family firmware 2.4.2.0 - multiple vulnerabilities in CODESYS V3 runtime system

The Festo controller CECC product family in firmware version 2.4.2.0 is affected by multiple vulnerabilities in the CODESYS V3 runtime.

CVE-2020-10245: 9.8

CVE-2021-33485: 9.8

CVE-2019-9013: 8.8

CVE-2022-22515: 8.1

CVE-2021-36763: 7.5

CVE-2021-36764: 7.5

CVE-2021-29241: 7.5

CVE-2022-22519: 7.5

CVE-2022-22517: 7.5

CVE-2020-15806: 7.5

CVE-2019-5105: 7.5

CVE-2021-29242: 7.3

CVE-2022-22514: 7.1

CVE-2022-22513: 6.5

CVE-2020-12068: 6.5

CVE-2020-12069: n/a

CVE-2019-9011: n/a

CVE-2020-12067: n/a

2022-07-06 09:00 VDE-2022-020

Festo: CECC-X-M1 - command injection vulnerabilities (Update A)

The Festo controller CECC-X-M1 product family in multiple versions are affected by a preauthentication command injection vulnerability.

Update A, 2022-07-05

Remediation has been updated. Fixed firmwares are now available.

CVE-2022-30311: 9.8

CVE-2022-30310: 9.8

CVE-2022-30309: 9.8

CVE-2022-30308: 9.8

1 (current)
2

Feeds

RSS / Atom

By Vendor

ADS-TEC Industrial IT (1)

Auma (4)

Beckhoff (8)

Bender (2)

CODESYS (6)

Endress+Hauser (10)

Festo SE (9)

Festo Didactic (3)

Frauscher (2)

Carlo Gavazzi Controls (1)

Helmholz (6)

HIMA (1)

ifm (1)

Innominate (2)

Lenze (2)

MB connect line (9)

Miele (4)

M&M Software (1)

Pepperl+Fuchs (25)

PHOENIX CONTACT (72)

Pilz (8)

Red Lion Europe (1)

SWARCO (1)

TECSON/GOK (1)

Trumpf (1)

TRUMPF Laser (6)

TRUMPF Werkzeugmaschinen (5)

VARTA Storage (1)

VMT (1)

WAGO (47)

Weidmueller (9)

Wiesemann & Theis (2)

Archive

2023

September (5)
August (13)
July (5)
June (3)
May (4)
April (1)
March (3)
February (3)
January (2)

2022

December (5)
November (10)
October (5)
September (7)
August (4)
July (4)
June (7)
May (3)
April (11)
March (5)
January (5)

2021

December (2)
November (6)
October (5)
September (2)
August (10)
July (3)
June (9)
May (6)
April (2)
March (3)
February (3)
January (4)

2020

December (4)
November (3)
October (6)
September (8)
August (1)
July (3)
June (4)
May (2)
March (12)
February (2)

2019

December (2)
October (3)
September (1)
June (4)
May (2)
March (6)
January (1)

2018

October (1)
September (1)
August (2)
July (3)
May (4)
March (1)
February (1)
January (2)

2017

December (2)
November (1)
September (1)
March (1)

Legend

(Scoring for CVSS 2.0,3.0+3.1)

None

No CVE available

Low

0.1 <= 3.9

Medium

4.0 <= 6.9

High

7.0 <= 8.9

Critical

9.0 <= 10.0