CVE-2020-2922 Festo Didactic SE CVE debrief

Who should care

Operators and maintainers of Festo Didactic SE MES PC deployments, especially environments that include Oracle MySQL Client/C API components or bundled XAMPP-related tooling. Security teams responsible for industrial/OT workstation hardening and software inventory should also review exposure.

Technical summary

The supplied CVE text describes a network-accessible MySQL Client C API issue with high attack complexity, no privileges required, and no user interaction. If exploited, the attacker can obtain unauthorized read access to a limited subset of client-accessible data. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, matching a low confidentiality impact with no integrity or availability impact. The CISA CSAF record republishes the advisory under Festo Didactic SE MES PC and links remediation to Factory Control Panel as a replacement for XAMPP on MES PCs.

Defensive priority

Low-to-moderate operational priority. The issue is low severity, but it is network-reachable and unauthenticated, so exposed instances should still be inventoried and remediated where the affected client component is present.

Recommended defensive actions

• Identify whether MES PC systems include the affected Oracle MySQL Client/C API component or related XAMPP tooling.
• Review the Festo advisory and vendor references to confirm the applicable fixed or replacement version for your deployment.
• Obtain the current Factory Control Panel release from Festo technical support if your environment uses the MES PC software path described in the advisory.
• Restrict unnecessary network exposure around affected systems and segment OT/industrial workstations where feasible.
• Validate that any remediation preserves required MES PC functionality before rollout.
• Track asset inventory for the specific MES PC build and document whether the vulnerable component is present or absent.

Evidence notes

The supplied corpus gives the CVE publishedAt as 2024-02-27T12:00:00Z and modifiedAt as 2026-01-27T16:20:28.099Z. The advisory text states affected Oracle MySQL versions 5.6.47 and prior, 5.7.29 and prior, and 8.0.18 and prior, with unauthorized read access as the impact. CISA’s CSAF metadata republishes the issue under Festo Didactic SE MES PC, and the remediation entry says Factory Control Panel replaced XAMPP on MES PCs. The remediation date in the source corpus (2023-05-26) predates the CVE publication timestamp, so it should be treated as vendor fix availability context rather than the disclosure date. The corpus also contains a possible product/vulnerability-description mismatch; the advisory text should be verified against the deployed software stack.

Official resources