VulnHub

Real-time Cybersecurity News

Festo Compact Vision System, Control Block, Controller, and Operator Unit products

All CISA Advisories
PhishingCVEVulnerabilityUpdateCritical

Overview

The Festo Compact Vision System and related products have critical vulnerabilities that could allow unauthorized access and modification of configuration files, with a CVSS score of up to 9.8. Users are urged to implement security measures to mitigate the risk of exploitation, as these vulnerabilities could severely impact device security and integrity.

Key Takeaways

  • Affected Systems: Affected products include: Festo Software Compact Vision System (All Versions), Control blocks (CPX-CEC-C1 Codesys V2, CPX-CEC-C1-V3 Codesys V3, CPX-CEC Codesys V2, CPX-CEC-M1 Codesys V2, CPX-CEC-M1-V3 Codesys V3, CPX-CEC-S1-V3 Codesys V3, CPX-CMXX), Controllers (CECC-D, CECC-D-BA, CECC-D-CS, CECC-LK, CECC-S, CECC-X-M1, CECC-X-M1-MV, CECC-X-M1-S1, CECX-X-C1, CECX-X-M1, CPX-E-CEC-C1, CPX-E-CEC-C1-EP, CPX-E-CEC-C1-PN, CPX-E-CEC-M1, CPX-E-CEC-M1-EP, CPX-E-CEC-M1-PN, FED-CEC), and Operator units (CDPX-X-A-S-10, CDPX-X-A-W-13, CDPX-X-A-W-4, CDPX-X-A-W-7, CDPX-X-E1-W-10, CDPX-X-E1-W-15, CDPX-X-E1-W-7). Vendor: Festo.
  • Action Required: For CVE-2022-22515: Use online user management to prevent unauthorized access.
  • Timeline: Disclosed on November 25, 2025

Original Article Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Festo Equipment: Compact Vision System, Control Block, Controller, and Operator Unit products Vulnerabilities: Exposure of Resource to Wrong Sphere, Initialization of a Resource with an Insecure Default 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in an attacker accessing devices without authentication or modifying configuration files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Festo reports that the following products are affected: Festo Software Compact Vision System SBO-Q-: All Versions Festo Software Control block CPX-CEC-C1 Codesys V2: All Versions Festo Software Control block CPX-CEC-C1-V3 Codesys V3: All Versions Festo Software Control block CPX-CEC Codesys V2: All Versions Festo Software Control block CPX-CEC-M1 Codesys V2: All Versions Festo Software Control block CPX-CEC-M1-V3 Codesys V3: All Versions Festo Software Control block CPX-CEC-S1-V3 Codesys V3: All Versions Festo Software Control block CPX-CMXX: All Versions Festo Software Controller CECC-D: All Versions Festo Software Controller CECC-D-BA: All Versions Festo Software Controller CECC-D-CS: All Versions Festo Software Controller CECC-LK: All Versions Festo Software Controller CECC-S: All Versions Festo Software Controller CECC-X-M1: All Versions Festo Software Controller CECC-X-M1-MV: All Versions Festo Software Controller CECC-X-M1-S1: All Versions Festo Software Controller CECX-X-C1: All Versions Festo Software Controller CECX-X-M1: All Versions Festo Software Controller CPX-E-CEC-C1: All Versions Festo Software Controller CPX-E-CEC-C1-EP: All Versions Festo Software Controller CPX-E-CEC-C1-PN: All Versions Festo Software Controller CPX-E-CEC-M1: All Versions Festo Software Controller CPX-E-CEC-M1-EP: All Versions Festo Software Controller CPX-E-CEC-M1-PN: All Versions Festo Software Controller FED-CEC: All Versions Festo Software Operator unit CDPX-X-A-S-10: All Versions Festo Software Operator unit CDPX-X-A-W-13: All Versions Festo Software Operator unit CDPX-X-A-W-4: All Versions Festo Software Operator unit CDPX-X-A-W-7: All Versions Festo Software Operator unit CDPX-X-E1-W-10: All Versions Festo Software Operator unit CDPX-X-E1-W-15: All Versions Festo Software Operator unit CDPX-X-E1-W-7: All Versions 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668 A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products. CVE-2022-22515 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). 3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188 In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller. CVE-2022-31806 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER CERT@VDE coordinated and supported publication with Festo. Rob Hulsebos and Daniel dos Santos of Forescout reported this vulnerability to Festo. 4. MITIGATIONS Festo has identified the following specific workarounds and mitigations users can apply to reduce risk: For CVE-2022-22515: Using the online user management prevents an attacker from downloading and executing malicious code, but also suppresses start, stop, debug, or other actions on a known working application that could potentially disrupt a machine or system. For CVE-2022-31806: Enable password protection at login in case no password is set at the controller. Please note that the password configuration file is not covered via default FFT backup & Restore mechanism, you must select the related file manually. For more information see the associated Festo SE & Co. KG security advisory FSA-202208 FSA-202208: Festo: Multiple Festo products contain an unsafe default Codesys configuration - HTML, FSA-202208: Festo: Multiple Festo products contain an unsafe default Codesys configuration - CSAF. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. 5. UPDATE HISTORY November 25, 2025: Initial Republication of Festo SE & Co. KG FSA-202208

Impact

Affected products include: Festo Software Compact Vision System (All Versions), Control blocks (CPX-CEC-C1 Codesys V2, CPX-CEC-C1-V3 Codesys V3, CPX-CEC Codesys V2, CPX-CEC-M1 Codesys V2, CPX-CEC-M1-V3 Codesys V3, CPX-CEC-S1-V3 Codesys V3, CPX-CMXX), Controllers (CECC-D, CECC-D-BA, CECC-D-CS, CECC-LK, CECC-S, CECC-X-M1, CECC-X-M1-MV, CECC-X-M1-S1, CECX-X-C1, CECX-X-M1, CPX-E-CEC-C1, CPX-E-CEC-C1-EP, CPX-E-CEC-C1-PN, CPX-E-CEC-M1, CPX-E-CEC-M1-EP, CPX-E-CEC-M1-PN, FED-CEC), and Operator units (CDPX-X-A-S-10, CDPX-X-A-W-13, CDPX-X-A-W-4, CDPX-X-A-W-7, CDPX-X-E1-W-10, CDPX-X-E1-W-15, CDPX-X-E1-W-7). Vendor: Festo.

Exploitation Status

No active exploitation has been reported at this time. However, organizations should still apply patches promptly as proof-of-concept code may exist.

Timeline

Disclosed on November 25, 2025

Remediation

For CVE-2022-22515: Use online user management to prevent unauthorized access. For CVE-2022-31806: Enable password protection at login if no password is set. Note that the password configuration file must be manually selected for backup as it is not included in the default FFT backup & Restore mechanism. CISA recommends minimizing network exposure for control systems, using firewalls, and employing secure remote access methods like VPNs.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Phishing, CVE, Vulnerability, and 2 more.

Read Original Article

Related Coverage

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 84

Security Affairs

The latest Security Affairs Malware newsletter covers several significant malware threats that have emerged recently. Notably, a group identified as Stan Ghouls is targeting users in Russia and Uzbekistan using the NetSupport Remote Access Trojan (RAT), which allows attackers to control infected systems remotely. Another concerning development is the discovery of ZeroDayRAT, a new spyware designed to infiltrate both Android and iOS devices. Additionally, researchers have uncovered a Linux botnet named SSHStalker, which utilizes old-school IRC methods to compromise new victims. These activities demonstrate the evolving tactics of cybercriminals and emphasize the need for users and organizations to remain vigilant against these persistent threats.

Feb 15, 2026

Week in review: Exploited newly patched BeyondTrust RCE, United Airlines CISO on building resilience

Help Net Security

Last week, a newly patched vulnerability in BeyondTrust's Remote Code Execution (RCE) software was exploited in the wild. This vulnerability poses significant risks as it allows attackers to execute commands on affected systems without authorization. BeyondTrust has issued patches to address this issue, but organizations using the affected software need to act quickly to apply these updates to prevent potential breaches. Additionally, in an interview, Deneen DeFiore, the Chief Information Security Officer at United Airlines, discussed the importance of resilience in cybersecurity. She emphasized that while prevention is crucial, organizations must also prepare for disruptions and manage risks associated with their interconnected vendor and partner ecosystems. This dual focus on resilience and safety is essential for maintaining operational integrity in today's complex digital landscape.

Feb 15, 2026

287 Chrome Extensions Caught Harvesting Browsing Data from 37M Users

Hackread – Cybersecurity News, Data Breaches, AI and More

A recent investigation by Q Continuum has uncovered that 287 Chrome extensions are leaking private browsing data from approximately 37.4 million users to companies like Similarweb and Alibaba. These extensions, often perceived as harmless tools, have been found to convert users' browsing histories into marketable products. The data breach raises significant privacy concerns, particularly for users who may not be aware that their online activities are being monitored and sold. This incident highlights the need for users to be vigilant about the extensions they install and the permissions they grant. As these extensions may not seem malicious at first glance, it serves as a reminder of the potential risks associated with browser add-ons.

Feb 14, 2026

Fintech firm Figure disclosed data breach after employee phishing attack

Security Affairs

Fintech company Figure has confirmed a data breach resulting from a phishing attack that targeted one of its employees. The attackers used social engineering tactics to deceive the employee and gain access to a limited number of files. A spokesperson for Figure stated that while the breach is concerning, the extent of the data compromised is not extensive. This incident raises alarms about the effectiveness of employee training and awareness regarding phishing tactics, which continue to be a significant vulnerability for many organizations. Users and stakeholders of Figure should remain vigilant and monitor for any unusual activity related to their accounts.

Feb 14, 2026

One threat actor responsible for 83% of recent Ivanti RCE attacks

BleepingComputer

Recent threat intelligence reports indicate that a single threat actor is behind the majority of attacks exploiting two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), identified as CVE-2026-21962 and CVE-2026-24061. These vulnerabilities allow for remote code execution, posing significant risks to organizations using this mobile management solution. The findings suggest that companies using Ivanti's software need to be vigilant, as the attacks are actively occurring. The focus on a single actor highlights the need for targeted defenses against this specific threat. Organizations are encouraged to monitor for unusual activity and apply any available patches to mitigate potential exploitation.

Feb 14, 2026

Snail mail letters target Trezor and Ledger users in crypto-theft attacks

BleepingComputer

Attackers are targeting users of cryptocurrency hardware wallets Trezor and Ledger by sending fake physical letters that appear to be from these companies. These letters aim to deceive users into revealing their recovery phrases, which can be used to steal their cryptocurrencies. This tactic exploits the trust users have in these well-known wallet providers and could lead to significant financial losses for those who fall for the scam. It’s crucial for users to be cautious and verify any communications they receive, especially when it comes to sensitive information like recovery phrases. The rise of such scams underscores the need for increased awareness and education around cryptocurrency security.

Feb 14, 2026