FestoCVEs & Vulnerabilities

9 CVEs affecting Festo products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

controller cecc-x-m1 firmware 9controller cecc-x-m1-mv firmware 9controller cecc-x-m1-mv-s1 firmware 9controller cecc-x-m1-ys-l1 5controller cecc-x-m1 5controller cecc-x-m1-mv-s1 5controller cecc-x-m1-mv 5controller cecc-x-m1-ys-l1 firmware 5
CVE-2020-12069HIGH

In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device.

26 Dec 2022
7.8
CVSS
CVE-2022-3270CRITICAL

In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.

1 Dec 2022
9.8
CVSS
CVE-2022-3079HIGH

Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.

20 Sep 2022
7.5
CVSS
CVE-2022-30311CRITICAL

In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

13 Jun 2022
9.8
CVSS
CVE-2022-30310CRITICAL

In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-acknerr-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

13 Jun 2022
9.8
CVSS
CVE-2022-30309CRITICAL

In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

13 Jun 2022
9.8
CVSS
CVE-2022-30308CRITICAL

In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

13 Jun 2022
9.8
CVSS
CVE-2014-0769CRITICAL

The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001.

25 Apr 2014
9.3
CVSS
CVE-2014-0760CRITICAL

The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion provide an undocumented access method involving the FTP protocol, which could allow a remote attacker to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.

25 Apr 2014
9.3
CVSS
← PrevPage 1 / 1Next →