VulnHub

Real-time Cybersecurity News

Festo Compact Vision System, Control Block, Controller, and Operator Unit products

All CISA Advisories
PhishingCVEVulnerabilityUpdateCritical

Overview

The Festo Compact Vision System and related products have critical vulnerabilities that could allow unauthorized access and modification of configuration files, with a CVSS score of up to 9.8. Users are urged to implement security measures to mitigate the risk of exploitation, as these vulnerabilities could severely impact device security and integrity.

Key Takeaways

  • Affected Systems: Affected products include: Festo Software Compact Vision System (All Versions), Control blocks (CPX-CEC-C1 Codesys V2, CPX-CEC-C1-V3 Codesys V3, CPX-CEC Codesys V2, CPX-CEC-M1 Codesys V2, CPX-CEC-M1-V3 Codesys V3, CPX-CEC-S1-V3 Codesys V3, CPX-CMXX), Controllers (CECC-D, CECC-D-BA, CECC-D-CS, CECC-LK, CECC-S, CECC-X-M1, CECC-X-M1-MV, CECC-X-M1-S1, CECX-X-C1, CECX-X-M1, CPX-E-CEC-C1, CPX-E-CEC-C1-EP, CPX-E-CEC-C1-PN, CPX-E-CEC-M1, CPX-E-CEC-M1-EP, CPX-E-CEC-M1-PN, FED-CEC), and Operator units (CDPX-X-A-S-10, CDPX-X-A-W-13, CDPX-X-A-W-4, CDPX-X-A-W-7, CDPX-X-E1-W-10, CDPX-X-E1-W-15, CDPX-X-E1-W-7). Vendor: Festo.
  • Action Required: For CVE-2022-22515: Use online user management to prevent unauthorized access.
  • Timeline: Disclosed on November 25, 2025

Original Article Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Festo Equipment: Compact Vision System, Control Block, Controller, and Operator Unit products Vulnerabilities: Exposure of Resource to Wrong Sphere, Initialization of a Resource with an Insecure Default 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in an attacker accessing devices without authentication or modifying configuration files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Festo reports that the following products are affected: Festo Software Compact Vision System SBO-Q-: All Versions Festo Software Control block CPX-CEC-C1 Codesys V2: All Versions Festo Software Control block CPX-CEC-C1-V3 Codesys V3: All Versions Festo Software Control block CPX-CEC Codesys V2: All Versions Festo Software Control block CPX-CEC-M1 Codesys V2: All Versions Festo Software Control block CPX-CEC-M1-V3 Codesys V3: All Versions Festo Software Control block CPX-CEC-S1-V3 Codesys V3: All Versions Festo Software Control block CPX-CMXX: All Versions Festo Software Controller CECC-D: All Versions Festo Software Controller CECC-D-BA: All Versions Festo Software Controller CECC-D-CS: All Versions Festo Software Controller CECC-LK: All Versions Festo Software Controller CECC-S: All Versions Festo Software Controller CECC-X-M1: All Versions Festo Software Controller CECC-X-M1-MV: All Versions Festo Software Controller CECC-X-M1-S1: All Versions Festo Software Controller CECX-X-C1: All Versions Festo Software Controller CECX-X-M1: All Versions Festo Software Controller CPX-E-CEC-C1: All Versions Festo Software Controller CPX-E-CEC-C1-EP: All Versions Festo Software Controller CPX-E-CEC-C1-PN: All Versions Festo Software Controller CPX-E-CEC-M1: All Versions Festo Software Controller CPX-E-CEC-M1-EP: All Versions Festo Software Controller CPX-E-CEC-M1-PN: All Versions Festo Software Controller FED-CEC: All Versions Festo Software Operator unit CDPX-X-A-S-10: All Versions Festo Software Operator unit CDPX-X-A-W-13: All Versions Festo Software Operator unit CDPX-X-A-W-4: All Versions Festo Software Operator unit CDPX-X-A-W-7: All Versions Festo Software Operator unit CDPX-X-E1-W-10: All Versions Festo Software Operator unit CDPX-X-E1-W-15: All Versions Festo Software Operator unit CDPX-X-E1-W-7: All Versions 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668 A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products. CVE-2022-22515 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). 3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188 In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller. CVE-2022-31806 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER CERT@VDE coordinated and supported publication with Festo. Rob Hulsebos and Daniel dos Santos of Forescout reported this vulnerability to Festo. 4. MITIGATIONS Festo has identified the following specific workarounds and mitigations users can apply to reduce risk: For CVE-2022-22515: Using the online user management prevents an attacker from downloading and executing malicious code, but also suppresses start, stop, debug, or other actions on a known working application that could potentially disrupt a machine or system. For CVE-2022-31806: Enable password protection at login in case no password is set at the controller. Please note that the password configuration file is not covered via default FFT backup & Restore mechanism, you must select the related file manually. For more information see the associated Festo SE & Co. KG security advisory FSA-202208 FSA-202208: Festo: Multiple Festo products contain an unsafe default Codesys configuration - HTML, FSA-202208: Festo: Multiple Festo products contain an unsafe default Codesys configuration - CSAF. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. 5. UPDATE HISTORY November 25, 2025: Initial Republication of Festo SE & Co. KG FSA-202208

Impact

Affected products include: Festo Software Compact Vision System (All Versions), Control blocks (CPX-CEC-C1 Codesys V2, CPX-CEC-C1-V3 Codesys V3, CPX-CEC Codesys V2, CPX-CEC-M1 Codesys V2, CPX-CEC-M1-V3 Codesys V3, CPX-CEC-S1-V3 Codesys V3, CPX-CMXX), Controllers (CECC-D, CECC-D-BA, CECC-D-CS, CECC-LK, CECC-S, CECC-X-M1, CECC-X-M1-MV, CECC-X-M1-S1, CECX-X-C1, CECX-X-M1, CPX-E-CEC-C1, CPX-E-CEC-C1-EP, CPX-E-CEC-C1-PN, CPX-E-CEC-M1, CPX-E-CEC-M1-EP, CPX-E-CEC-M1-PN, FED-CEC), and Operator units (CDPX-X-A-S-10, CDPX-X-A-W-13, CDPX-X-A-W-4, CDPX-X-A-W-7, CDPX-X-E1-W-10, CDPX-X-E1-W-15, CDPX-X-E1-W-7). Vendor: Festo.

Exploitation Status

No active exploitation has been reported at this time. However, organizations should still apply patches promptly as proof-of-concept code may exist.

Timeline

Disclosed on November 25, 2025

Remediation

For CVE-2022-22515: Use online user management to prevent unauthorized access. For CVE-2022-31806: Enable password protection at login if no password is set. Note that the password configuration file must be manually selected for backup as it is not included in the default FFT backup & Restore mechanism. CISA recommends minimizing network exposure for control systems, using firewalls, and employing secure remote access methods like VPNs.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Phishing, CVE, Vulnerability, and 2 more.

Read Original Article

Related Coverage

ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers

Hackread – Cybersecurity News, Data Breaches, AI and More

Hackers are currently exploiting a vulnerability in ShowDoc, identified as CVE-2025-0520, which was discovered five years ago. This flaw allows attackers to deploy web shells, enabling remote code execution (RCE) and complete server takeovers on affected systems. The exploitation of this vulnerability is happening globally, impacting various organizations that use ShowDoc. It’s crucial for users and companies to address this issue promptly to prevent unauthorized access and potential data breaches. Security teams should prioritize patching their systems to mitigate the risk posed by this vulnerability.

Apr 18, 2026

Operation PowerOFF: 75K Users of DDoS-for-Hire Services Identified and Warned

Hackread – Cybersecurity News, Data Breaches, AI and More

Operation PowerOFF has successfully identified and issued warnings to around 75,000 users of DDoS-for-hire services. This initiative, led by Europol, resulted in four arrests and the seizure of 53 domains associated with these illegal services. DDoS-for-hire, also known as 'booting', involves paying individuals or groups to launch distributed denial-of-service attacks against targeted websites or networks, causing disruption. The crackdown not only targets the providers but also the users who engage in these activities, highlighting the ongoing efforts to combat cybercrime. Users involved in these services face potential legal consequences, which raises awareness about the risks of participating in such illicit activities.

Apr 18, 2026

$13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims

The Hacker News

Grinex, a cryptocurrency exchange based in Kyrgyzstan and already sanctioned by the U.K. and U.S., has announced the suspension of its operations following a cyber attack that resulted in the theft of $13.74 million. The exchange claims this attack was orchestrated by foreign intelligence agencies, suggesting a coordinated effort rather than a random act of cybercrime. This incident raises concerns not only for Grinex but also for the broader cryptocurrency market, as it highlights vulnerabilities within exchanges, especially those already under scrutiny. The attack's implications could deter users from engaging with platforms that have been targeted, thereby affecting market confidence. As the investigation unfolds, the exchange and its users are left grappling with the fallout from this significant breach.

Apr 18, 2026

Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet

The Hacker News

Researchers from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 have identified that attackers are exploiting a command injection vulnerability, CVE-2024-3721, in TBK DVRs and outdated TP-Link Wi-Fi routers. This medium-severity flaw, which has a CVSS score of 6.3, allows malicious actors to hijack these devices to create a botnet for DDoS attacks. The compromised TBK DVRs and EoL TP-Link routers are particularly concerning as they can be easily targeted due to their lack of ongoing support and security updates. This situation poses a significant risk to users, as their devices can be turned into tools for larger-scale cyberattacks without their knowledge. Users of these devices should take immediate action to secure their systems against potential exploitation.

Apr 18, 2026

US imposes extended jail time on North Korean laptop farm facilitators

SCM feed for Latest

Kejia Wang and Zhenxing Wang, two residents of New Jersey, have been sentenced to nine years and nearly eight years in prison, respectively, for their roles in facilitating a North Korean laptop farm. This operation was part of a scheme that falsely represented IT workers, generating over $5 million for the North Korean regime. The laptop farm was used to support various illicit activities, highlighting the ongoing challenges posed by cyber operations linked to North Korea. The U.S. Department of Justice's actions aim to disrupt these types of operations and send a clear message against aiding sanctioned regimes. This incident serves as a reminder of the global reach of cybercrime and the importance of international cooperation in combating it.

Apr 17, 2026

Another PoC exploit released by 'BlueHammer' leaker after Microsoft dispute

SCM feed for Latest

A security researcher known as Chaotic Eclipse has released a proof-of-concept (PoC) exploit for a zero-day vulnerability in Microsoft Defender, identified as 'RedSun'. This follows the earlier disclosure of an exploit for another flaw in Defender, tracked as CVE-2026-33825, known as the BlueHammer flaw. The implications of these exploits are significant, as they expose users of Microsoft Defender to potential attacks that could compromise system security. Organizations using this antivirus solution should be particularly vigilant, as the release of these exploits could lead to increased attempts at exploitation by malicious actors. It's crucial for users to stay informed about updates from Microsoft regarding these vulnerabilities.

Apr 17, 2026