CVE-2020-2812 Festo Didactic SE CVE debrief

Who should care

Festo Didactic SE MES PC operators and administrators, teams responsible for any bundled MySQL/XAMPP components in those deployments, and defenders who manage privileged MySQL access over the network.

Technical summary

The vulnerable component is Oracle MySQL Server: Stored Procedure. A network attacker who already has high privileges can exploit the flaw through multiple protocols to cause service disruption, typically a hang or frequent repeatable crash. The supplied affected-version ranges are 5.6.47 and prior, 5.7.29 and prior, and 8.0.19 and prior.

Defensive priority

Medium

Recommended defensive actions

• Check whether any MES PC deployment or related system is running an affected Oracle MySQL version or the vulnerable bundled component referenced in the advisory.
• Obtain the current Factory Control Panel version from Festo technical support and replace XAMPP on MES PCs, as stated in the vendor remediation.
• Restrict and monitor privileged MySQL accounts and limit network exposure to the database service to reduce the chance of a high-privilege network attack.
• Apply CISA ICS recommended practices and defense-in-depth guidance to segment, harden, and monitor the environment.
• Validate the update in a maintenance window and confirm the vulnerable component is no longer present after remediation.

Evidence notes

The supplied source item is CISA CSAF advisory ICSA-26-027-02, initially published on 2024-02-27 and later republished on 2026-01-27. Its description states that CVE-2020-2812 is a MySQL Server stored procedure vulnerability that can cause a hang or repeatable crash. The remediation entry says Factory Control Panel replaces XAMPP on MES PCs and includes fixes, obtainable through Festo technical support.

Official resources