{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "CECX-X-C1 Modular Master Controller with CoDeSys", "vendor": "Festo", "versions": [ { "status": "affected", "version": "all" } ] }, { "defaultStatus": "unaffected", "product": "CECX-X-M1 Modular Controller with CoDeSys and SoftMotion", "vendor": "Festo", "versions": [ { "status": "affected", "version": "all" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "K. Reid Wightman of IOActive, Inc. has identified vulnerabilities in Festo’s CECX-X-C1 and CECX-X-M1 controllers." } ], "datePublic": "2014-04-24T06:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "
\nThe Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1\n Modular Controller with CoDeSys and SoftMotion provide an undocumented \naccess method involving the FTP protocol, which could allow a remote attacker to execute arbitrary code or cause a denial of service (application \ncrash) via unspecified vectors.\n\n
" } ], "value": "The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1\n Modular Controller with CoDeSys and SoftMotion provide an undocumented \naccess method involving the FTP protocol, which could allow a remote attacker to execute arbitrary code or cause a denial of service (application \ncrash) via unspecified vectors." } ], "metrics": [ { "cvssV2_0": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-287", "description": "CWE-287", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-07-02T20:29:50.796Z" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-084-01" } ], "source": { "advisory": "ICSA-14-084-01", "discovery": "EXTERNAL" }, "title": "Festo CECX-X-(C1/M1) Controller Improper Authentication", "workarounds": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Festo has decided not to resolve these vulnerabilities, placing \ncritical infrastructure asset owners using this product at risk. This \nadvisory is being published to alert critical infrastructure asset \nowners of the risk of using this equipment, and to increase compensating\n security measures if possible. Some of these compensating measures can be:
\n