Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions

VDE-2023-020

Last update

10/01/2025 12:00

Published at

09/05/2023 12:00

Vendor(s)

Festo SE & Co. KG

External ID

FSA-202304

CSAF Document

Download

Summary

Incomplete user documentation of undocumented, authenticated test mode and further remote accessible functions.
The supported features may be covered only partly by the corresponding user documentation.

Festo developed the products according to the respective state of the art. As a result, the protocols used no longer fully meet today's security requirements.
The products are designed and developed for use in sealed-off (industrial) networks.
If the network is not adequately sealed off, unauthorized access to the product can cause damage or malfunctions, particularly Denial of Service (DoS) or loss of integrity.

Impact

In products of the MSE6 product-family by Festo a remote authenticated attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability.

Affected Product(s)

Model no.	Product name	Affected versions
8169406	MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGD vers:all/*	MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGD vers:all/*
8157913	MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L5-AGD vers:all/*	MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L5-AGD vers:all/*
8169407	MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L4-MQ1-AGD vers:all/*	MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L4-MQ1-AGD vers:all/*
8157912	MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L5-MQ1-AGD vers:all/*	MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L5-MQ1-AGD vers:all/*
8157908	MSE6-C2M-5000-FB44-D-M-RG-BAR-AMI-AGD vers:all/*	MSE6-C2M-5000-FB44-D-M-RG-BAR-AMI-AGD vers:all/*
8157909	MSE6-C2M-5000-FB44-D-RG-BAR-AMI-AGD vers:all/*	MSE6-C2M-5000-FB44-D-RG-BAR-AMI-AGD vers:all/*
8085453	MSE6-D2M-5000-CBUS-S-RG-BAR- VCB-AGD vers:all/*	MSE6-D2M-5000-CBUS-S-RG-BAR- VCB-AGD vers:all/*
2465321	MSE6-E2M-5000-FB13-AGD vers:all/*	MSE6-E2M-5000-FB13-AGD vers:all/*
3990296	MSE6-E2M-5000-FB36-AGD vers:all/*	MSE6-E2M-5000-FB36-AGD vers:all/*
3992150	MSE6-E2M-5000-FB37-AGD vers:all/*	MSE6-E2M-5000-FB37-AGD vers:all/*
8157910	MSE6-E2M-5000-FB43-AGD vers:all/*	MSE6-E2M-5000-FB43-AGD vers:all/*
8157911	MSE6-E2M-5000-FB44-AGD vers:all/*	MSE6-E2M-5000-FB44-AGD vers:all/*

Vulnerabilities

Expand / Collapse all

Published

10/06/2025 14:04

Severity

8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness

Hidden Functionality (CWE-912)

Summary

In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability.

References

cve.org | nvd.nist.gov

Remediation

Update of user documentation in next product version.

Acknowledgments

Festo SE & Co. KG thanks the following parties for their efforts:

CERT@VDE for coordination and support with this publication (see https://certvde.com )

Revision History

Version	Date	Summary
1.0.0	09/05/2023 12:00	Initial revision.
1.0.1	10/01/2025 12:00	Adjusted to VDE template. Changed title from "MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions" to "Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions".

Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2023-3634 8.8

Remediation

Acknowledgments

Revision History