PatchSiren cyber security CVE debrief
CVE-2021-2007 Festo Didactic SE CVE debrief
CVE-2021-2007 is a low-severity vulnerability described in a Festo Didactic SE MES PC advisory that points to Oracle MySQL Client (C API) versions 5.6.47 and earlier, 5.7.29 and earlier, and 8.0.19 and earlier. The advisory says a remote, unauthenticated attacker with network access via multiple protocols could compromise the client and obtain read access to a subset of accessible data. Festo’s remediation notes state that Factory Control Panel was released as a replacement for XAMPP on MES PCs and that customers should contact technical support for the current version that includes fixes.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Festo Didactic SE MES PC operators, administrators responsible for installed Factory Control Panel/XAMPP replacements, and anyone running affected Oracle MySQL Client components in environments exposed to network access.
Technical summary
The source advisory maps CVE-2021-2007 to Oracle MySQL Client’s C API component and describes an information-disclosure outcome rather than code execution or service disruption. The published CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, which aligns with the advisory text: network reachable, no privileges or user interaction required, but difficult to exploit and limited to read access to some client-accessible data. The remediation record points to a vendor replacement package, Factory Control Panel, for MES PCs.
Defensive priority
Monitor and remediate as part of routine maintenance rather than emergency response. The issue is remotely reachable and unauthenticated, but the documented impact is limited and the CVSS score is low.
Recommended defensive actions
- Identify MES PCs and any installations that include the affected Oracle MySQL Client C API versions listed in the advisory.
- Apply the vendor-provided replacement guidance: obtain the current Factory Control Panel version from Festo technical support.
- Treat XAMPP-based or older bundled client components on MES PCs as candidates for replacement or upgrade.
- Restrict network exposure of affected systems where possible until remediation is complete.
- Validate that the updated installation is in place and that the vulnerable client component is no longer present.
Evidence notes
Source evidence comes from the CISA CSAF advisory republished on 2026-01-27 with an initial CVE/advisory publication date of 2024-02-27. The advisory text explicitly states the affected Oracle MySQL Client versions, the unauthenticated network attack requirement, and the limited read-access impact. The remediation entry explicitly recommends Factory Control Panel as a replacement for XAMPP on MES PCs. Timing context in this debrief uses the supplied CVE published date rather than the later republication date.
Official resources
-
CVE-2021-2007 CVE record
CVE.org
-
CVE-2021-2007 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2021-2007 was published on 2024-02-27 in the supplied source record. The CISA CSAF source was republished on 2026-01-27, but that later date reflects republication metadata rather than the original CVE publication date.