Zurück zur Übersicht

Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products

VDE-2022-038
Last update
01.10.2025 12:50
Published at
13.12.2022 12:50
Vendor(s)
Festo SE & Co. KG
External ID
FSA-202206
CSAF Document

Summary

A vulnerability was reported in WIBU-SYSTEMS CodeMeter Runtime. WIBU-SYSTEMS CodeMeter Runtime is part of the installation packages of several Festo products.FluidDraw < 6.2c and CIROS <= 7.0.6 contain a vulnerable version of WIBU-SYSTEMS CodeMeter Runtime.

Impact

Affected Product(s)

Model no. Product name Affected versions
8038980 CIROS <=6.4.6 (before 2022-09-15) CIROS <=6.4.6 (before 2022-09-15)
8140772, 8140773 CIROS <=7.0.6 (before 2022-09-15) CIROS <=7.0.6 (before 2022-09-15)
FluidDraw P5 vers:all/* FluidDraw P5 vers:all/*
FluidDraw P6 <6.2c FluidDraw P6 <6.2c
MES PC vers:all/* MES PC vers:all/*

Vulnerabilities

Expand / Collapse all

Published
06.10.2025 14:04
Weakness
Improper Link Resolution Before File Access ('Link Following') (CWE-59)
Summary

In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.

References

Remediation

FluidDraw P5, FluidDraw P6

Avoid any FluidDraw installation with a FluidDraw installation package below version 6.2c.
Updated versions of FluidDraw are available on the Festo website.

In case of a FluidDraw installation package with a version below 6.2c:

  • Do not use the WIBU CodeMeter package that is part of the FluidDraw installation package.
  • Skip the CodeMeter installation step during the FluidDraw installation.
  • Instead, use a current CodeMeter version from the WIBU website and install it separately.
  • In case of an already installed vulnerable CodeMeter version, update all these WIBU CodeMeter installations with the current version of WIBU CodeMeter.

Please refer to the WIBU CodeMeter documentation and website for further details and mitigations on usage of WIBU CodeMeter Runtime before 7.30a.


CIROS

For future installations:

For existing installations:

  • Update the WIBU CodeMeter Runtime separately to at least version 7.30a (downloaded from the WIBU Systems website).
  • Refer to the WIBU CodeMeter documentation and website for further details and mitigations.

MES PC

If your copy of MES4 came preinstalled on a PC shipped before December 2022:

  • Ensure the PC has at least CodeMeter Runtime 7.30a installed.
  • If necessary, download the update from the WIBU Systems website.

Additional to the above

Festo strongly recommends:

  • Restricting unprivileged access to machines running Festo software.
  • Minimizing and protecting network access to connected devices using state-of-the-art techniques and processes.

For secure operation, follow the recommendations in the product manuals.

Acknowledgments

Festo SE & Co. KG thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 13.12.2022 12:50 Initial revision.
1.0.1 11.01.2024 11:00 Adjust link to VDE Advisory
1.0.2 01.10.2025 12:50 Adjusted to VDE template. Changed title from "Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple Festo products" to "Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products".