Remediations

Mitigation
According to Contemporary Controls, the BASC-20T is an obsolete product. It is recommended that users of the affected product contact Contemporary Controls for additional information.
https://www.ccontrols.com/support/contacttech.htm

Remediations

Mitigation
GPL Odorizers recommends users update to the latest software version of the GPL750 in connection with the latest firmware from Horner Automation for the XL4, XL4 Prime, XL7, and XL7 Prime devices.https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm.
https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm

Mitigation
GPL Odorizers recommends users clear the old files from their microSD cards, keeping only the LOGS folder and the FIRMWARE.LIC file if they have a WebMI license. The compressed folder downloaded from the link above can then be extracted to the root directory of the microSD card. These files already include the corresponding firmware update. If users do not have IT permissions to access their microSD cards, GPL Odorizers can provide preconfigured SD cards that technicians can simply swap into their odorizers prior to installation.

Mitigation
For assistance in updating GPL Odorizers to the latest version, users should reach out to GPL Odorizers directly via phone number (303) 697-6701 during the hours of 8:00 a.m. to 4:00 p.m. MST.

Mitigation
Horner Automation offers firmware version 15.76 for their XL Series and version 17.30 for their XL Prime Series controllers https://hornerautomation.com/controller-firmware/. An installation guide is available for both the XL series and the XL Prime series.
https://hornerautomation.com/controller-firmware/

Remediations

Vendor fix
Mitsubishi Electric is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf

Vendor fix
Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf". For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
https://iconics.com/about/security/cert

Vendor fix
Mitsubishi Electric is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf

Vendor fix
Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3". For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
https://iconics.com/about/security/cert

No fix planned
There are no plans to release fixed version for MC Works64. For users of MC Works64, refer to the Mitsubishi Electric security advisory "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf", and take the actions described there.
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf

Mitigation
For customer of GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, and AnalytiX that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf".

Mitigation
For customer of GENESIS that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3".

Mitigation
For customer of MC Works 64, Mitsubishi Electric recommends performing the following step (1) and (2). (1)In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf".

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using Windows authentication instead of SQL authentication for the SQL server authentication method, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend configuring the PCs with the affected product installed so that only an administrator can log in, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using the PCs with the affected product installed in the LAN and blocking remote login from untrusted networks and hosts, and from non-administrator users, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend blocking unauthorized access by using a firewall, virtual private network (VPN), etc. and allowing remote login only to administrator when internet access is required, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend restricting physical access to the PC with the affected product installed and to the network to which the PC is connected, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend preventing the user from clicking on web links in emails from untrusted sources, or from opening attachments in untrusted emails, to minimize the risk of exploiting this vulnerability.

Remediations

Vendor fix
Mitsubishi Electric is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf

Vendor fix
Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
https://iconics.com/about/security/cert

Vendor fix
Mitsubishi Electric is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf

Vendor fix
Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
https://iconics.com/about/security/cert

No fix planned
There are no plans to release fixed version for MC Works64. For users of MC Works64, refer to the Mitsubishi Electric security advisory "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf", and take the actions described there.
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf

Mitigation
For customer of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following steps (1) and (2). (1) Change the permissions of HHSplitter.exe so that only trusted administrators can execute it. (2) Delete HHSplitter.exe from the system if it is unnecessary.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using Windows authentication instead of SQL authentication for the SQL server authentication method, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend configuring the PCs with the affected product installed so that only an administrator can log in, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using the PCs with the affected product installed in the LAN and blocking remote login from untrusted networks and hosts, and from non-administrator users, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend blocking unauthorized access by using a firewall, virtual private network (VPN), etc. and allowing remote login only to administrator when internet access is required, and from non-administrator users, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend restricting physical access to the PC with the affected product installed and the network to which the PC is connected, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend preventing the user from clicking on web links in emails from untrusted sources, or from opening attachments in untrusted emails, to minimize the risk of exploiting this vulnerability.

Remediations

Mitigation
Yokogawa recommends users applying the following mitigations to affected versions:

Vendor fix
CENTUM VP R5.01.00 to R5.04.20: Change the user authentication mode to Windows Authentication Mode.

Vendor fix
CENTUM VP R6.01.00 to R6.12.00: Change the user authentication mode to Windows Authentication Mode.

Vendor fix
CENTUM VP R7.01.00: Apply patch software R7.01.10.

Mitigation
NOTE:Changing to Windows Authentication Mode requires engineering work. If users wish to make this change, please contact Yokogawa directly https://contact.yokogawa.com/cs/gw?c-id=000498.
https://contact.yokogawa.com/cs/gw?c-id=000498

Mitigation
For more information and details on implementing these mitigations, users should see the Yokogawa advisory YSAR-26-0003 at https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf
https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf

Remediations

Mitigation
Since the vulnerability exists in Jasper Report component that is external to Ellipse application, restrict the loading of external custom reports created by end users by allowing only trusted Jasper reports generated by the system administrator.

Remediations

Vendor fix
Update to V26.10 or later version The firmware RTUM85 V26.10 is present within “CP-8010/CP-8012 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109972894/ and also within “SICAM S8000 Package” V26.10 https://support.industry.siemens.com/cs/document/109818240

Vendor fix
Update to V26.10 or later version The firmware CPCI85 V26.10 is present within “CP-8031/CP-8050 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109804985/ and also within “SICAM EGS Package” V26.10 https://support.industry.siemens.com/cs/document/109972536/

Remediations

Vendor fix
Update to V26.10 or later version The firmware CPCI85 V26.10 is present within “CP-8031/CP-8050 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109804985/ and also within “SICAM EGS Package” V26.10 https://support.industry.siemens.com/cs/document/109972536/

Vendor fix
Update to V26.10.0 or later version The firmware SICORE V26.10.0 is present within “CP-8010/CP-8012 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109972894/ and also within “SICAM S8000 Package” V26.10 https://support.industry.siemens.com/cs/document/109818240

Remediations

Mitigation
PX4 recommends enabling MAVLink 2.0 message signing as the authentication mechanism for all non‑USB communication links. PX4 has published a security hardening guide for integrators and manufacturers at https://docs.px4.io/main/en/mavlink/security_hardening.
https://docs.px4.io/main/en/mavlink/security_hardening

Mitigation
Message signing configuration documentation can be found at https://docs.px4.io/main/en/mavlink/message_signing.
https://docs.px4.io/main/en/mavlink/message_signing

Remediations

Mitigation
Anritsu has no plans to fix this issue. Anritsu recommends that users deploy Remote Spectrum Monitor within secure network environments to mitigate potential risks.

Mitigation
Users can contact Anritsu Technical Support (1-800-267-4878) for more information.

Remediations

Mitigation
WAGO has identified the following specific workarounds and mitigations users can apply to reduce risk: Product Group: WAGO Firmware installed on WAGO Hardware 852-1812, WAGO Firmware installed on WAGO Hardware 852-1813, WAGO Firmware installed on WAGO Hardware 852-1813/000-001, WAGO Firmware installed on WAGO Hardware 852-1816, WAGO Firmware installed on WAGO Hardware 852-303, WAGO Firmware installed on WAGO Hardware 852-1305, WAGO Firmware installed on WAGO Hardware 852-1305/000-001, WAGO Firmware installed on WAGO Hardware 852-1505/000-001, WAGO Firmware installed on WAGO Hardware 852-1505, WAGO Firmware installed on WAGO Hardware 852-602, WAGO Firmware installed on WAGO Hardware 852-603, WAGO Firmware installed on WAGO Hardware 852-1605, WAGO Firmware installed on WAGO Hardware 852-1812/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/010-000, WAGO Firmware installed on WAGO Hardware 852-1816/010-000, WAGO Firmware installed on WAGO Hardware 852-602, WAGO Firmware installed on WAGO Hardware 852-603, WAGO Firmware installed on WAGO Hardware 852-1505, WAGO Firmware installed on WAGO Hardware 852-1305, WAGO Firmware installed on WAGO Hardware 852-1305/000-001, WAGO Firmware installed on WAGO Hardware 852-1505/000-001, WAGO Firmware installed on WAGO Hardware 852-1812, WAGO Firmware installed on WAGO Hardware 852-1813, WAGO Firmware installed on WAGO Hardware 852-1816, WAGO Firmware installed on WAGO Hardware 852-1812/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/010-000, WAGO Firmware installed on WAGO Hardware 852-1816/010-000, WAGO Firmware installed on WAGO Hardware 852-1813/000-001, WAGO Firmware installed on WAGO Hardware 852-1605, WAGO Firmware installed on WAGO Hardware 852-303, WAGO Firmware installed on WAGO Hardware 852-1813/010-001, WAGO Firmware installed on WAGO Hardware 852-1813/010-001): Please update your devices to the specified fixed Firmware version.

Mitigation
Lean Managed Switch 852-1812, Lean Managed Switch 852-1813, Lean Managed Switch 852-1813/000-001, Lean Managed Switch 852-1816, Lean Managed Switch 852-1812/010-000, Lean Managed Switch 852-1813/010-000, Lean Managed Switch 852-1816/010-000, Lean Managed Switch 852-1813/010-001: To eliminate the attack vector deactivate ssh and telnet on the device.

Mitigation
Industrial Managed Switch 852-303, Industrial Managed Switch 852-1305, Industrial Managed Switch 852-1305/000-001, Industrial Managed Switch 852-1505/000-001, Industrial Managed Switch 852-1505, Industrial Managed Switch 852-602, Industrial Managed Switch 852-603, Industrial Managed Switch 852-1605: To reduce the attack vector deactivate ssh and telnet on the devices. This ensures that the CLI is only accessible locally via RS232.

Mitigation
The following product versions have been fixed: Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1812 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.3.S1 installed on Lean Managed Switch 852-1813/000-001 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1816 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.8.S1 installed on Industrial Managed Switch 852-303 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1305 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1305/000-001 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.0.S1 installed on Industrial Managed Switch 852-1505/000-001 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.1.9.S1 installed on Industrial Managed Switch 852-1505 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.0.6.S1 installed on Industrial Managed Switch 852-602 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.0.6.S1 installed on Industrial Managed Switch 852-603 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.5.S1 installed on Industrial Managed Switch 852-1605 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1812/010-000 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813/010-000 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1816/010-000 are fixed versions for CVE-2026-3587

Mitigation
Firmware V1.2.1.S1 installed on Lean Managed Switch 852-1813/010-001 are fixed versions for CVE-2026-3587

Mitigation
For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json.
https://www.wago.com/de-en/automation-technology/psirt

Mitigation
For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json.
https://certvde.com/en/advisories/VDE-2026-020

Mitigation
For more information see the associated WAGO GmbH & Co. KG security advisory VDE-2026-020 WAGO PSIRT: https://www.wago.com/de-en/automation-technology/psirt. VDE-2026-020: WAGO: Vulnerability in managed switches - HTML: https://certvde.com/en/advisories/VDE-2026-020. VDE-2026-020: WAGO: Vulnerability in managed switches - CSAF: https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json.
https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-020.json

Remediations

Mitigation
PTC is aware of the issue and is actively developing a fix. In the meantime, PTC recommends applying the recommended workaround. Until official patches are available, customers must take urgent steps to safeguard their environments. Specifically: Protect any publicly accessible Windchill systems

Vendor fix
While publicly accessible Windchill and FlexPLM systems are at higher risk and require immediate attention, PTC strongly recommends applying the mitigation steps to all deployments, regardless of Internet exposure

Vendor fix
Apply the same precautions to FlexPLM deployments

Vendor fix
The following Apache and IIS HTTP Server configuration update should be IMMEDIATELY applied to every Windchill or FlexPLM system: Customers using Apache HTTP Server should only follow "Apache HTTP Server Configuration – Workaround Steps" section steps

Mitigation
Customers using Microsoft IIS should only follow "IIS Configuration - Workaround Steps" section steps

Mitigation
Please explicitly note that the same mitigation steps must also be applied on File Server / Replica Server configurations where applicable

Mitigation
For Windchill releases prior to 11.0 M030, workarounds may need to be altered to apply to unsupported previous releases

Mitigation
For Apache HTTP Server and IIS configuration workaround steps, please refer to the official advisory at:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability.
https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability

Mitigation
If immediate remediation is not feasible, additional guidance and remediation options are available:https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability.
https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability

Remediations

Mitigation
The vulnerability was identified by OpenCode Systems on January 5, 2026 and remediated on January 6, 2026 with the release of version 6.33.11.

Mitigation
For more information, contact OpenCode: https://opencode.com/about/contact-us
https://opencode.com/about/contact-us

Remediations

Mitigation
Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit:

Mitigation
Install Patch ProLeiT-2025-001 via ProLeiT Support
https://www.proleit.com/support/

Mitigation
After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality

Mitigation
Force usage of secure Redis configuration templates in system settings as documented in the patch manual

Mitigation
Restart all patched servers and workstations

Mitigation
Schneider Electric strongly recommends the following industry cybersecurity best practices.

Mitigation
Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.

Mitigation
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.

Mitigation
Place all controllers in locked cabinets and never leave them in the "Program" mode.

Mitigation
Never connect programming software to any network other than the network intended for that device.

Mitigation
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.

Mitigation
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.

Mitigation
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.

Mitigation
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

Mitigation
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
https://www.se.com/us/en/download/document/7EN52-0390/

Vendor fix
For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx"
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf

Remediations

Mitigation
Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit:

Mitigation
Install Patch ProLeiT-2025-001 via ProLeiT Support
https://www.proleit.com/support/

Mitigation
After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality

Mitigation
Force usage of secure Redis configuration templates in system settings as documented in the patch manual

Mitigation
Restart all patched servers and workstations

Mitigation
Schneider Electric strongly recommends the following industry cybersecurity best practices.

Mitigation
Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.

Mitigation
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.

Mitigation
Place all controllers in locked cabinets and never leave them in the "Program" mode.

Mitigation
Never connect programming software to any network other than the network intended for that device.

Mitigation
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.

Mitigation
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.

Mitigation
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.

Mitigation
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

Mitigation
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
https://www.se.com/us/en/download/document/7EN52-0390/

Vendor fix
For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx"
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf

Remediations

Mitigation
Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit:

Mitigation
Install Patch ProLeiT-2025-001 via ProLeiT Support
https://www.proleit.com/support/

Mitigation
After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality

Mitigation
Force usage of secure Redis configuration templates in system settings as documented in the patch manual

Mitigation
Restart all patched servers and workstations

Mitigation
Schneider Electric strongly recommends the following industry cybersecurity best practices.

Mitigation
Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.

Mitigation
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.

Mitigation
Place all controllers in locked cabinets and never leave them in the "Program" mode.

Mitigation
Never connect programming software to any network other than the network intended for that device.

Mitigation
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.

Mitigation
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.

Mitigation
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.

Mitigation
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

Mitigation
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
https://www.se.com/us/en/download/document/7EN52-0390/

Vendor fix
For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx"
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf

Remediations

Mitigation
Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit:

Mitigation
Install Patch ProLeiT-2025-001 via ProLeiT Support
https://www.proleit.com/support/

Mitigation
After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality

Mitigation
Force usage of secure Redis configuration templates in system settings as documented in the patch manual

Mitigation
Restart all patched servers and workstations

Mitigation
Schneider Electric strongly recommends the following industry cybersecurity best practices.

Mitigation
Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.

Mitigation
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.

Mitigation
Place all controllers in locked cabinets and never leave them in the "Program" mode.

Mitigation
Never connect programming software to any network other than the network intended for that device.

Mitigation
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.

Mitigation
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.

Mitigation
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.

Mitigation
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

Mitigation
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
https://www.se.com/us/en/download/document/7EN52-0390/

Vendor fix
For more information, see Schneider Electric security notification "SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx"
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf

Remediations

Mitigation
Pharos Controls recommends that users upgrade Mosaic Show Controller to version 2.16 or later.

Remediations

Vendor fix
Version CS 8.1 of EcoStruxure Foxboro DCS includes a fix for this vulnerability and is available through [https://buyautomation.se.com/](https://buyautomation.se.com/) CS 8.1 requires FX-V3 licenses, standard upgrade procedures apply. A reboot is required for workstations and servers. Depending on the existing system version, online upgrade without production interruption might be possible. Schneider Electric recommends you work with your local field service representative or technical service consultant for further information. 
https://buyautomation.se.com/

Mitigation
If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: The vulnerability is attacked with manipulated data from external sources to the DCS computers. Examples for these are: * Configuration taglists * DirectAccess Scripts * Any partial or full Galaxy backups * Library files * Code snippets * ASCII files of any sort * Generally, any file getting from outside the DCS computer on a DCS computer. Only use data from trusted sources, check for correct file name endings on data files, check for reasonable file sizes for any files coming to the system, and check structured data for any fields or columns which might be unexpected. Check for unusual manipulations of data within data files and reject files containing unexpected data or structures. Use secure communication channels and encrypt communications when communicating outside the site network. Avoid and ban removable media (e.g. USB sticks or drives) Minimize count of users with engineering or administrative rights to DCS computers and ensure all interactions on DCS computers are executed with minimal user access rights. Consequently, isolating Foxboro DCS computers will help minimizing the risk of this vulnerability being exploited.

Remediations

Vendor fix
Please apply the fixed version (BC or later) for Mitsubishi Electric M800VW(BND-2051W000), M800VS(BND-2052W000), M80V(BND-2053W000), and M80VW(BND-2054W000). For instructions on how to apply it, please consult your Mitsubishi Electric representative.

Vendor fix
Please apply the fixed version (FN or later) for Mitsubishi Electric M800W(BND-2005W000), M800S(BND-2006W000), M80(BND-2007W000), M80W(BND-2008W000), and E80(BND-2009W000). For instructions on how to apply it, please consult your Mitsubishi Electric representative.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using a firewall or virtual private network (VPN) to prevent unauthorized access, when internet access is required, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using the product within a LAN and blocking access from untrusted networks and hosts through a firewall, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using IP filters to prevent unauthorized access, when internet access is required, to minimize the risk of exploiting this vulnerability. IP filter function is available for M800V/M80V Series and M800/M80/E80 Series. For details about the IP filter function, refer to the following manual for each product: M800V/M80V Series Instruction Manual "16. Appendix 3 IP Address Filter Setting Function", M800/M80/E80 Series Instruction Manual "15. Appendix 2 IP Address Filter Setting Function"

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends restricting physical access to the affected product and to all computers and network devices to which the products are connected, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends installing anti-virus software on PCs that can access the affected product, to minimize the risk of exploiting this vulnerability.

Mitigation
For more information, see Mitsubishi Electric 2025-022. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-022_en.pdf 
https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-022_en.pdf

Remediations

Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/

Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/.
https://www.se.com/ww/en/download/document/EIO0000005500/

Mitigation
Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/

Mitigation
Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/.
https://www.se.com/ww/en/download/document/EIO0000005500/

Mitigation
Modicon Controller M262 Firmware version 5.4.10.12 delivered with EcoStruxure™ Machine Expert v2.5 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M262 to the latest Firmware and perform reboot. For instructions refer to Modicon M262 Logic/Motion Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/

Mitigation
Modicon Controller M262 Firmware version 5.4.10.12 delivered with EcoStruxure™ Machine Expert v2.5 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M262 to the latest Firmware and perform reboot. For instructions refer to Modicon M262 Logic/Motion Controller, Programming Guide: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/.
https://www.se.com/ww/en/download/document/EIO0000005500/

Mitigation
For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-01 Improper Resource Shutdown or Release vulnerability in Multiple Products - SEVD-2026-069-01 PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-01.pdf. Improper Resource Shutdown or Release vulnerability in Multiple Products - SEVD-2026-069-01 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-01.json.
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-01.pdf

Mitigation
All affected products: If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Filter ports and IP through the embedded firewall. Use encrypted communication links. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242.
https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242

Remediations

Vendor fix
Hotfix_279338_Release_2024R2 is available for EcoStruxure Power Monitoring Expert (PME) that includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center to download this hotfix. No reboot required.

Vendor fix
Customers should upgrade to EcoStruxure Power Monitoring Expert (PME) 2024 R3. Contact Schneider Electric’s Customer Care Center for assistance.

Vendor fix
Hotfix_282807 - for 2023R2 is available for EcoStruxure Power Monitoring Expert (PME) that includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center to download this hotfix. No reboot required.

Vendor fix
Customers should upgrade to EcoStruxure Power Monitoring Expert (PME) 2023 R2. Once upgraded, Hotfix_282807 - for 2023R2 is available for EcoStruxure Power Monitoring Expert (PME) that includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for assistance.

Vendor fix
Customers should upgrade to EcoStruxure Power Monitoring Expert (PME) 2023 R2. Once upgraded, Hotfix_282807 - for 2023R2 is available for EcoStruxure Power Monitoring Expert (PME) that includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for assistance.

No fix planned
EcoStruxure Power Monitoring Expert (PME) 2022 version has reached its end of life and is no longer supported. • Ensure your deployment of PME has followed the cybersecurity hardening guidelines provided with the product. https://product-help.schneider-electric.com/EcoStruxure/Power-Monitoring-Expert-2024/content/2_planning/cybersecurity/cyber-planningrecactions.htm • Ensure PME is running in an isolated network • Deploy and configure the Windows firewall to limit access to appropriate network segments• Enforce complex password policies.o Review Server Access Permissions o Conduct an audit of all Windows-authenticated users who currently have access to PME. Repeat this audit of your system periodically. o Identify all accounts with access rights, especially those with elevated privileges or remote access. o Limit access to essential users only.o Revoke access for any user accounts that are not critical for system functionality or daily operations.o Apply the principle of least privilege to ensure users have only the access necessary for their role(s). Customers should also consider upgrading to the latest product offering EcoStruxure Power Monitoring Expert (PME) 2024 R3 to resolve this issue. 
https://product-help.schneider-electric.com/EcoStruxure/Power-Monitoring-Expert-2024/content/2_planning/cybersecurity/cyber-planningrecactions.htm

No fix planned
EcoStruxure Power Operation (EPO) 2022 version and EcoStruxure Power Monitoring Expert (PME) 2022 has reached its end of life and is no longer supported. • Ensure your deployment of PME has followed the cybersecurity hardening guidelines provided with the product. https://product-help.schneider-electric.com/EcoStruxure/Power-Monitoring-Expert-2024/content/2_planning/cybersecurity/cyber-planningrecactions.htm • Ensure PME is running in an isolated network • Deploy and configure the Windows firewall to limit access to appropriate network segments• Enforce complex password policies.o Review Server Access Permissions o Conduct an audit of all Windows-authenticated users who currently have access to PME. Repeat this audit of your system periodically. o Identify all accounts with access rights, especially those with elevated privileges or remote access. o Limit access to essential users only.o Revoke access for any user accounts that are not critical for system functionality or daily operations.o Apply the principle of least privilege to ensure users have only the access necessary for their role(s). Customers should also consider upgrading to the latest product offering EcoStruxure Power Monitoring Expert (PME) 2024 R3 to resolve this issue. 
https://product-help.schneider-electric.com/EcoStruxure/Power-Monitoring-Expert-2024/content/2_planning/cybersecurity/cyber-planningrecactions.htm

Remediations

Mitigation
IGL-Technologies has updated eParking's OCPP servers to reduce the risks posed by the vulnerability. These updates implemented the following security controls:
1) Enforce modern security profiles and stronger authentication.
2) Device‑level whitelisting was implemented to ensure that only authorized charging units can connect.
3) Rate‑limiting controls prevent excessive requests and reduces DoS risk.
4) Enhanced automated monitoring and alerting to detection abnormal network activity.
Devices using the encrypted deployment of eParking's OCPP servers or IGL-Technologies proprietary eTolppa protocol are not impacted by these vulnerabilities.

Mitigation
To prevent this in the future IGL-Technologies will continue vulnerability monitoring under their ISO 27001:2022 security program and tighten security requirements for future third‑party OCPP hardware approvals.

Mitigation
For more information please contact the IGL-Technologies security team at this email address: security@igl.fi.
mailto:security@igl.fi

Remediations

Mitigation
IGL-Technologies has updated eParking's OCPP servers to reduce the risks posed by the vulnerability. These updates implemented the following security controls:
1) Enforce modern security profiles and stronger authentication.
2) Device‑level whitelisting was implemented to ensure that only authorized charging units can connect.
3) Rate‑limiting controls prevent excessive requests and reduces DoS risk.
4) Enhanced automated monitoring and alerting to detection abnormal network activity.

Mitigation
Devices using the encrypted deployment of eParking's OCPP servers or IGL-Technologies proprietary eTolppa protocol are not impacted by these vulnerabilities.

Mitigation
To prevent this in the future IGL-Technologies will continue vulnerability monitoring under their ISO 27001:2022 security program and tighten security requirements for future third‑party OCPP hardware approvals.

Mitigation
For more information please contact the IGL-Technologies security team at this email address: security@igl.fi.
mailto:security@igl.fi

Remediations

Mitigation
IGL-Technologies has updated eParking's OCPP servers to reduce the risks posed by the vulnerability. These updates implemented the following security controls:
1) Enforce modern security profiles and stronger authentication.
2) Device‑level whitelisting was implemented to ensure that only authorized charging units can connect.
3) Rate‑limiting controls prevent excessive requests and reduces DoS risk.
4) Enhanced automated monitoring and alerting to detection abnormal network activity.

Mitigation
Devices using the encrypted deployment of eParking's OCPP servers or IGL-Technologies proprietary eTolppa protocol are not impacted by these vulnerabilities.

Mitigation
To prevent this in the future IGL-Technologies will continue vulnerability monitoring under their ISO 27001:2022 security program and tighten security requirements for future third‑party OCPP hardware approvals.

Mitigation
For more information please contact the IGL-Technologies security team at this email address: security@igl.fi.
mailto:security@igl.fi

Remediations

Mitigation
IGL-Technologies has updated eParking's OCPP servers to reduce the risks posed by the vulnerability. These updates implemented the following security controls:
1) Enforce modern security profiles and stronger authentication.
2) Device‑level whitelisting was implemented to ensure that only authorized charging units can connect.
3) Rate‑limiting controls prevent excessive requests and reduces DoS risk.
4) Enhanced automated monitoring and alerting to detection abnormal network activity.

Mitigation
Devices using the encrypted deployment of eParking's OCPP servers or IGL-Technologies proprietary eTolppa protocol are not impacted by these vulnerabilities.

Mitigation
To prevent this in the future IGL-Technologies will continue vulnerability monitoring under their ISO 27001:2022 security program and tighten security requirements for future third‑party OCPP hardware approvals.

Mitigation
For more information please contact the IGL-Technologies security team at this email address: security@igl.fi.
mailto:security@igl.fi

Remediations

Mitigation
Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC.

Mitigation
For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/.
https://www.automatedlogic.com/en/company/security-commitment/

Remediations

Mitigation
Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC.

Mitigation
For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/.
https://www.automatedlogic.com/en/company/security-commitment/

Remediations

Mitigation
Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC.

Mitigation
For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/.
https://www.automatedlogic.com/en/company/security-commitment/

Remediations

Vendor fix
Version v25.0.1 of EcoStruxure™ Automation Expert includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product-range/23643079-ecostruxure-automation-expert/
https://www.se.com/ww/en/product-range/23643079-ecostruxure-automation-expert/

Mitigation
If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Solution and archive files must be stored within the user’s home directory or in any location protected by appropriate Windows file‑system access controls to prevent unauthorized access in multi‑user environments. Users who choose to store files outside their home directory are responsible for applying restrictive Windows permissions to secure those locations. Before opening any solution or archive file, users are required to verify its authenticity and ensure that it has not been modified by unauthorized users. For detailed mitigation steps, refer to the User Manual - https://product-help.se.com/EcoStruxure%20Automation%20Expert/25.0/Offer%20Guides/en-US/EAE_UM?t=EAE_UM%2FSolutionIntegrity-FE037ED3.html%3Frhhlterm%3Dundefined%253Frhsearch%253Dundefined&theme=Help
https://product-help.se.com/EcoStruxure%20Automation%20Expert/25.0/Offer%20Guides/en-US/EAE_UM?t=EAE_UM%2FSolutionIntegrity-FE037ED3.html%3Frhhlterm%3Dundefined%253Frhsearch%253Dundefined&theme=Help

Remediations

Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/

Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/EIO0000005500/

Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/EIO0000003059/

Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER

Mitigation
Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/

Mitigation
Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/EIO0000005500/

Mitigation
Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/us/en/download/document/EIO0000003089/

Mitigation
Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER

Mitigation
If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242.
https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242

Mitigation
Modicon Controllers M258 and Modicon Controllers LMC058: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The "Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment" provide product specific hardening guidelines: https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242.
https://download.schneider-electric.com/files?p_enDocType=User+guide&p_File_Name=EIO0000004242.00.pdf&p_Doc_Ref=EIO0000004242

Mitigation
For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-02 Improper Neutralization in Multiple Products - PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf. Improper Neutralization in Multiple Products - SEVD-2026-069-02 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json.
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf

Mitigation
For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-02 Improper Neutralization in Multiple Products - PDF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-02.pdf. Improper Neutralization in Multiple Products - SEVD-2026-069-02 CSAF Version: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json.
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-02.json

Remediations

Mitigation
CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information https://www.ctek.com/support.
https://www.ctek.com/support

Remediations

Mitigation
CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information https://www.ctek.com/support.
https://www.ctek.com/support

Remediations

Mitigation
CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information https://www.ctek.com/support.
https://www.ctek.com/support

Remediations

Mitigation
CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information https://www.ctek.com/support.
https://www.ctek.com/support

Remediations

Vendor fix
Update to V2.1.7 or later

Remediations

Vendor fix
Update to V2.1.7 or later

Remediations

Vendor fix
Update to V2.1.7 or later

Remediations

Vendor fix
Update to V2.1.7 or later

Remediations

Vendor fix
Update to V2.1.7 or later

Remediations

Vendor fix
Update to V2.1.7 or later

Remediations

Vendor fix
Version R3.4.2 (Firmware version 9.12.2) of SCADAPack™ 47x and SCADAPack™ 47xi includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/download/document/RemoteConnect/

Vendor fix
Version R3.4.2 of RemoteConnect includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/download/document/RemoteConnect/

Mitigation
If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: Follow the information according to SCADAPack™ Security Guidelines in section 8.3 Secured Communication. Also, apply the following standard practices to reduce the risk of exploit: • Setup network segmentation and implement the RTU firewall service to block all unauthorized access to services • Disable the logic debug service.

Mitigation
Follow the information according to SCADAPack™ Security Guidelines in section 8.3 Secured Communication. Also, apply the following standard practices to reduce the risk of exploit • Setup network segmentation and implement the RTU firewall service to block all unauthorized access to services. • Disable the logic debug service.

Remediations

Vendor fix
v9.1 of EcoStruxure IT Data Center Expert includes a fix for this vulnerability and is available for download here: https://www.se.com/en/product-range/61851-ecostruxure-it-data-center-expert/#software-and-firmware

Mitigation
If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: • Harden the DCE instance according to the cybersecurity best practices documented in the EcoStruxure IT Data Center Expert Security Handbook • Ensure the SOCKS Proxy is disabled as in the default configuration.

Mitigation
For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-05 Use of Hard-coded Credentials vulnerability in EcoStruxure IT Data Center Expert PDF Version https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-05.pdf

Mitigation
For more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-069-05 Use of Hard-coded Credentials vulnerability in EcoStruxure IT Data Center Expert CSAF Version https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-069-05.json

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:

Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:

Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:

Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:

Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:

Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:

Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:

Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:

Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:

Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108

Remediations

Mitigation
FESTO has identified the following specific workarounds and mitigations users can apply to reduce risk:

Mitigation
Starting from Festo Automation Suite version 2.8.0.138, Codesys is no longer bundled with the suite and must be downloaded and installed separately by the customer. To mitigate this vulnerability customers are advised to: Download the latest, patched version of Codesys directly from the official Codesys website. Follow the installation and update instructions provided by Codesys to ensure all security fixes are applied. Regularly monitor Codesys security advisories and apply updates promptly. Maintain the Festo Automation Suite connector up to date by installing FAS updates as released by Festo.

Mitigation
The following product versions have been fixed:

Mitigation
CODESYS Development System 3.5.21.20 as an external component of Festo Automation Suite 2.8.0.138 are fixed versions for all CVEs

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2026/fsa-202601.json

Mitigation
For more information see the associated Festo SE & Co. KG security advisory FSA-202601 FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - CSAF, FSA-202601: Several CODESYS vulnerabilities in Festo Automation Suite - HTML.
https://certvde.com/en/advisories/VDE-2025-108