Festo Didactic training panels and MES‑PC workstations shipped for years with a cracked front door. A path‑traversal bug in the bundled Siemens TIA Portal engineering suite lets a single malicious project file rewrite any file on the host—and in skilled hands, that means arbitrary code execution. Siemens fixed the flaw back in 2023, but because the vulnerable versions came pre‑installed on Festo hardware, thousands of lab machines, classroom rigs, and even production‑adjacent engineering stations may still be running the unpatched software.
A Flaw Hiding in Your Classroom
CISA published an advisory on November 19, 2024, that connects CVE‑2023‑26293 directly to Festo Didactic products. The vulnerability itself lives inside Siemens Totally Integrated Automation Portal (TIA Portal) versions V15 through V18. When an engineer opens a specially crafted PC system configuration file—a routine task when transferring projects or device settings—the software can be tricked into writing or overwriting files outside the intended project directories. A well‑constructed payload can plant a malicious executable that later runs with the same privileges as the engineering environment, yielding full control of the workstation.
The attack requires user interaction: someone must open the poisoned file. But in the industrial world, configuration files circulate as casually as email attachments. Vendors email them, technicians carry them on USB sticks, and students share them in training labs. A single malicious file slipped into a routine project handoff is all it takes.
Festo Didactic hardware—specifically the TP260 training panel and the MES‑PC industrial PC—bundled TIA Portal installers straight from Siemens. If the device was shipped before June 2023, it almost certainly contains a vulnerable version. The flaw isn’t in Festo’s own code; it’s a problem they inherited. But because the software is baked into the product, customers may not realize they need to apply a third‑party update to a tool they never explicitly chose to install.
Your Engineering Workstation Is the Target
For a home user dabbling in PLC programming, the risk might seem abstract. But in any organization that uses Festo Didactic gear, this is a practical, urgent concern. Engineering workstations are the keys to the operational technology kingdom. A compromised host can be used to spy on logic designs, inject malicious routines into PLC code, or leapfrog into segmented OT networks that aren’t monitored by IT security tools.
- Trainers and educators run dozens of identical workstations, often with relaxed security policies. Project files flow freely between instructors, students, and external training partners. One bad file can infect an entire lab fleet in a single session.
- IT and OT administrators inherit these machines long after purchase. Many don’t realize the TIA Portal installation came from Festo and may never have been updated. Vendors rarely scream “there’s a critical vulnerability in the third‑party software we shipped you.”
- Developers and integrators who use MES‑PC boxes as jump hosts or build servers are especially exposed. A write‑and‑execute vector on a build machine can corrupt compiled binaries that later get deployed to real controllers.
CISA’s advisory scores the vulnerability 7.8 out of 10 on the CVSS scale (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). That’s a high‑severity rating driven by the complete loss of confidentiality, integrity, and availability on the engineering host. Even though the attack is local in nature and requires user trickery, the low complexity and devastating impact push the risk into “patch immediately” territory.
How a Siemens Patch Became a Festo Problem
The timeline is straightforward, and it illustrates why supply‑chain transparency matters in industrial environments.
- 2023: Siemens discloses CVE‑2023‑26293 in its own TIA Portal products and releases fixed updates (V17 Update 6, V18 Update 1, and later). The vulnerability is a classic path‑traversal, CWE‑22, rooted in improper validation of file paths inside PC system configuration files.
- Early 2024: Festo, through CERT@VDE, acknowledges that several of its Didactic products shipped with the affected TIA Portal versions. Festo’s own advisory FSA‑202303 tells customers to apply the Siemens patches.
- November 2024: CISA amplifies the warning with advisory ICSA‑25‑324‑05, explicitly listing the impacted Festo hardware and reiterating the same fix.
Despite these warnings, the lag between a vendor fix and its adoption in the field can stretch for years, especially when the software is a bundled component rather than a standalone application. Organizations that treat Festo devices as turnkey appliances may never have built patch cycles for the underlying engineering tools.
What to Do Now: A Practical Checklist
If you have any Festo MES‑PC or TP260 units—or any workstation that came with a Festo‑branded TIA Portal installer—take these actions this week.
1. Inventory Every Affected Device
Walk the lab floor, check asset registers, and scan your network. Identify every host that has TIA Portal installed, and note the precise version and update level. Look especially for:
- Festo MES‑PC systems
- Festo TP260 training panels
- Any classroom image or VM that includes a TIA Portal installation from a Festo recovery DVD
2. Patch TIA Portal Immediately
Follow Siemens’ SSA‑116924 advisory (search for it on the Siemens ProductCERT page) and update to at least:
- TIA Portal V17 Update 6
- TIA Portal V18 Update 1
- Or any later version that Siemens lists as fixed.
If a Festo device runs a TIA Portal version earlier than V15, it is not directly listed as vulnerable, but you should still upgrade to a supported release. Do not rely on Festo’s own firmware updates alone—you must patch the Siemens software inside the box.
3. Isolate Unpatchable Systems
Some legacy training setups can’t be updated because they rely on a specific TIA Portal version. Move those machines to a restricted VLAN with no internet access and strict firewall rules that block inbound file‑transfer protocols. Disable USB autorun and removable media unless absolutely necessary.
4. Harden How Project Files Arrive
Treat any incoming PC system configuration file as potentially hostile until scanned. Implement these controls on your mail gateway and file servers:
- Block or quarantine attachments with extensions commonly used by TIA Portal configuration files (e.g., .tia, .ap, .pcst).
- Use a sandbox to open suspicious files in an isolated environment before delivering them to engineers.
- Require contractors and partners to deliver project files through a secure managed file transfer system, not ordinary email.
5. Monitor for Signs of Compromise
If you have endpoint detection and response (EDR) on engineering workstations, add custom rules to flag anomalous behaviour from TIA Portal processes. Key indicators:
- Unexpected file writes from TiaPortal.exe or Automation Software Gateway into system directories (e.g., C:\Windows\System32, C:\Program Files\).
- Creation of new executable files in project folders or user temp directories immediately after a project file is opened.
- Outbound network connections from TIA Portal processes to unusual remote IP addresses.
On Windows, also watch for suspicious PowerShell or cmd.exe child processes spawned by the TIA Portal user session. Enable logging for these events and send them to your SIEM.
6. Educate Your People
Engineers and technicians need to understand that opening a project file from an untrusted source is just as dangerous as clicking a phishing link. Make it policy to:
- Never open a configuration file from an unknown or unverified contact.
- Demand that files be delivered via authorized, monitored channels.
- Scan files with endpoint protection before opening, even if the sender is known.
The Bigger Picture: Why This Keeps Happening
CVE‑2023‑26293 isn’t an exotic zero‑day; it’s a textbook path‑traversal bug that should have been caught earlier. But the story matters because it exposes a recurring weakness in industrial supply chains: hardware vendors bundle complex software stacks, and then the responsibility for keeping those stacks secure vanishes into a grey zone between the hardware maker and the customer.
Festo was not alone. Many industrial training kits, HMI panels, and engineering laptops ship with pre‑loaded software that never appears on a corporate patch list. As operational technology and IT converge, the organisations running these devices must demand a clear software bill of materials (SBOM) from every supplier and integrate third‑party component updates into their regular patch cycles.
For now, the fix is available and the attack requires user interaction, so the immediate risk can be managed with the steps above. But treat this as a warning: the next vulnerability of this sort might not come with a pre‑published patch or a CISA headline. Stronger segmentation, hardened file handling, and routine auditing of installed software are the only durable defences.
What to Watch Next
- Siemens updates: New versions of TIA Portal may ship hardened against similar input validation flaws. If you manage engineering workstations, subscribe to Siemens’ ProductCERT RSS feed to catch future advisories early.
- Festo refreshes: Festo may release updated “golden images” for its TP260 and MES‑PC lines that embed the fixed TIA Portal versions. Check with your Festo support contact or the official Festo advisory page (FSA‑202303) for availability.
- Exploitation activity: While CISA states that no known public exploitation of this specific vulnerability has been reported, the scenario is easy to weaponize. Threat groups targeting industrial control systems could incorporate the technique into their playbooks. Stay alert for indicators of compromise that match the file‑write patterns described above.
CVE‑2023‑26293 is a solvable problem. Inventory, patch, harden file transfer, and monitor. But it’s also a reminder that in the world of industrial automation, the software you didn’t install can be the door you forgot to lock.