Zurück zur Übersicht

Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in several products

VDE-2023-036
Last update
13.05.2025 12:00
Published at
28.11.2023 08:00
Vendor(s)
Festo SE & Co. KG
External ID
FSA-202305
CSAF Document
Download

Summary

A vulnerability in the Wibu CodeMeter Runtime, which is part of the installation packages of several Festo products, was found. An attacker exploiting the vulnerability in WIBU CodeMeter Runtime in server mode could gain full access to the affected server via network access without any user interaction. This could lead to remote code execution and escalation of privileges giving full admin access on the host system for an already authenticated user (logged in locally to the PC).

Impact

An attacker exploiting the vulnerability in WIBU CodeMeter Runtime in server mode could gain full access to the affected server via network access without any user interaction.
Exploiting the vulnerability in WIBU CodeMeter Runtime in non-networked workstation mode could lead to a privilege elevation and full access on this workstation for an already authenticated user (logged in locally to the PC).

Affected Product(s)

Model no. Product name Affected versions
FESTO FluidDraw 365 <= 7.0a FESTO FluidDraw 365 <= 7.0a
FESTO FluidDraw P6 <= 6.2k FESTO FluidDraw P6 <= 6.2k
Festo Automation Suite < 2.8.0 Festo Automation Suite < 2.8.0
FESTO Didactic CIROS Studio / Education 6.0.0 <= 6.4.6 FESTO Didactic CIROS Studio / Education 6.0.0 <= 6.4.6
FESTO Didactic CIROS Studio / Education 7.0.0 <= 7.1.7 FESTO Didactic CIROS Studio / Education 7.0.0 <= 7.1.7
FESTO Didactic FluidSIM 5 all versions FESTO Didactic FluidSIM 5 all versions
FESTO Didactic FluidSIM 6 <= 6.1c FESTO Didactic FluidSIM 6 <= 6.1c
FESTO Didactic MES-PC shipped before December 2023 FESTO Didactic MES-PC shipped before December 2023

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Out-of-bounds Write (CWE-787)
Summary

A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

References
cve.org | nvd.nist.gov

Remediation

Festo Automation Suite: Update to version 2.8.0 and use with CODESYS version >= 3.5.19.30.
All other affected products: Update Codemeter to version >= 7.60c.

Revision History

Version Date Summary
1.0.0 28.11.2023 08:00 Initial version
1.1.0 05.12.2023 09:00 Removed 'MES4 (v3)', 'MES4 (<=v2)' and 'Energy-PC' from affected products as they do not install WIBU CodeMeter Runtime.
1.1.1 13.05.2025 12:00 Adjusted to VDE template and updated information on fixed version of the Festo Automation Suite. Changed document title from 'Vulnerable Wibu CodeMeter Runtime in Several Festo Products' to 'Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in several products'. Updated legal disclaimer to add references to special provisions.