Back to overview

Festo: Multiple Festo products contain an unsafe default Codesys configuration

VDE-2022-037
Last update
10/28/2025 12:00
Published at
11/29/2022 12:41
Vendor(s)
Festo SE & Co. KG
External ID
FSA-202208
CSAF Document
Download

Summary

The products are shipped with an unsafe configuration of the integrated CODESYS Runtime
environment. In this case no default password is set to the CODESYS PLC and therefore access
without authentication is possible.

With a successful established connection to the CODESYS Runtime the PLC-Browser commands are
available. Thus granting the possibilities to e.g. read and modify the configuration file(s), start/stop
the application and reboot the device.

Impact

Affected Product(s)

Model no. Product name Affected versions
Compact Vision System SBO*-Q-* vers:all/* Compact Vision System SBO*-Q-* vers:all/*
Control block CPX-CEC Codesys V2 vers:all/* Control block CPX-CEC Codesys V2 vers:all/*
Control block CPX-CEC-C1 Codesys V2 vers:all/* Control block CPX-CEC-C1 Codesys V2 vers:all/*
Control block CPX-CEC-C1-V3 Codesys V3 vers:all/* Control block CPX-CEC-C1-V3 Codesys V3 vers:all/*
Control block CPX-CEC-M1 Codesys V2 vers:all/* Control block CPX-CEC-M1 Codesys V2 vers:all/*
Control block CPX-CEC-M1-V3 Codesys V3 vers:all/* Control block CPX-CEC-M1-V3 Codesys V3 vers:all/*
Control block CPX-CEC-S1-V3 Codesys V3 vers:all/* Control block CPX-CEC-S1-V3 Codesys V3 vers:all/*
555667, 555668 Control block CPX-CMXX vers:all/* Control block CPX-CMXX vers:all/*
Controller CECC-D vers:all/* Controller CECC-D vers:all/*
Controller CECC-D-BA vers:all/* Controller CECC-D-BA vers:all/*
Controller CECC-D-CS vers:all/* Controller CECC-D-CS vers:all/*
Controller CECC-LK vers:all/* Controller CECC-LK vers:all/*
Controller CECC-S vers:all/* Controller CECC-S vers:all/*
Controller CECC-X-M1 vers:all/* Controller CECC-X-M1 vers:all/*
Controller CECC-X-M1-MV vers:all/* Controller CECC-X-M1-MV vers:all/*
Controller CECC-X-M1-S1 vers:all/* Controller CECC-X-M1-S1 vers:all/*
553852 Controller CECX-X-C1 vers:all/* Controller CECX-X-C1 vers:all/*
553853 Controller CECX-X-M1 vers:all/* Controller CECX-X-M1 vers:all/*
Controller CPX-E-CEC-C1 vers:all/* Controller CPX-E-CEC-C1 vers:all/*
Controller CPX-E-CEC-C1-EP vers:all/* Controller CPX-E-CEC-C1-EP vers:all/*
Controller CPX-E-CEC-C1-PN vers:all/* Controller CPX-E-CEC-C1-PN vers:all/*
Controller CPX-E-CEC-M1 vers:all/* Controller CPX-E-CEC-M1 vers:all/*
Controller CPX-E-CEC-M1-EP vers:all/* Controller CPX-E-CEC-M1-EP vers:all/*
Controller CPX-E-CEC-M1-PN vers:all/* Controller CPX-E-CEC-M1-PN vers:all/*
559869 Controller FED-CEC vers:all/* Controller FED-CEC vers:all/*
Operator unit CDPX-X-A-S-10 vers:all/* Operator unit CDPX-X-A-S-10 vers:all/*
Operator unit CDPX-X-A-W-13 vers:all/* Operator unit CDPX-X-A-W-13 vers:all/*
Operator unit CDPX-X-A-W-4 vers:all/* Operator unit CDPX-X-A-W-4 vers:all/*
Operator unit CDPX-X-A-W-7 vers:all/* Operator unit CDPX-X-A-W-7 vers:all/*
Operator unit CDPX-X-E1-W-10 vers:all/* Operator unit CDPX-X-E1-W-10 vers:all/*
Operator unit CDPX-X-E1-W-15 vers:all/* Operator unit CDPX-X-E1-W-15 vers:all/*
Operator unit CDPX-X-E1-W-7 vers:all/* Operator unit CDPX-X-E1-W-7 vers:all/*

Vulnerabilities

Expand / Collapse all

Published
10/28/2025 10:06
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Initialization of a Resource with an Insecure Default (CWE-1188)
Summary

In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.

References
cve.org | nvd.nist.gov

Published
11/04/2025 16:12
Severity
8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness
Exposure of Resource to Wrong Sphere (CWE-668)
Summary

A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.

References
cve.org | nvd.nist.gov

Mitigation

Festo has identified the following compensatory measures to reduce the risk:

  • For CVE-2022-22515: Using the online user management prevents an attacker from
    downloading and execute malicious code, but also suppresses start, stop, debug, or other
    actions on a known working application that could potentially disrupt a machine or system.
  • For CVE-2022-31806: Enable password protection at login in case no password is set at the controller. Please note that the password configuration file is not covered via default FFT backup & Restore mechanism, you must select the related file manually.

Acknowledgments

Festo SE & Co. KG thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 11/29/2022 12:41 Initial revision.
1.0.1 01/11/2024 11:00 Adjust link to VDE Advisory
1.0.2 10/28/2025 12:00 Adjusted to VDE template. Changed title from "Multiple Festo products contain an unsafe default Codesys configuration" to "Festo: Multiple Festo products contain an unsafe default Codesys configuration". Updated legal disclaimer to add references to special provisions.