PatchSiren cyber security CVE debrief
CVE-2021-21703 Festo Didactic SE CVE debrief
CVE-2021-21703 is a high-severity local privilege-escalation issue tied in CISA’s advisory to Festo Didactic SE MES PC deployments that use vulnerable PHP-FPM versions. In the affected PHP ranges, a lower-privileged worker can alter shared memory in a way that can trigger invalid reads and writes in the root-owned master process, creating a path to root compromise on the host.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Organizations running Festo Didactic SE MES PC systems, especially if they still depend on PHP-FPM/XAMPP-style deployments with a root master daemon and non-root worker processes. Linux administrators and OT/industrial operators should prioritize this if any local user access exists on the affected system.
Technical summary
The advisory describes a PHP-FPM memory corruption condition in PHP 7.3.x through 7.3.31, 7.4.x below 7.4.25, and 8.0.x below 8.0.12. The risk depends on a common FPM privilege separation pattern: the main daemon runs as root while child workers run as lower-privileged users. Under those conditions, a worker can access and write to shared memory associated with the main process, potentially causing the root process to perform invalid memory reads and writes and enabling local privilege escalation.
Defensive priority
High
Recommended defensive actions
- Move to the vendor-recommended replacement: Festo Didactic states that Factory Control Panel replaces XAMPP on MES PCs and includes fixes for these vulnerabilities.
- Verify whether any MES PC deployment still uses affected PHP-FPM versions or a root-owned FPM master with lower-privileged workers.
- Apply the current fixed Factory Control Panel version through Festo Didactic technical support as directed in the advisory.
- Limit local shell access and reduce the number of users who can interact with the affected host until remediation is complete.
- Review the system for privilege-separation assumptions in PHP-FPM deployments and treat root-owned service processes as high-value targets.
Evidence notes
This debrief is based on the CISA CSAF republication for Festo Didactic SE MES PC and its referenced vendor materials. The source text explicitly states the affected PHP version ranges, the root/master and lower-privileged worker condition, the local privilege-escalation impact, and the vendor remediation that replaces XAMPP with Factory Control Panel. No exploit code or unsupported attribution was used.
Official resources
-
CVE-2021-21703 CVE record
CVE.org
-
CVE-2021-21703 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA republished the advisory on 2024-02-27, with a later republication recorded on 2026-01-27. The vendor remediation referenced in the source is dated 2023-05-26; this debrief uses those advisory dates for context and does not treat them,