PatchSiren cyber security CVE debrief
CVE-2021-21705 Festo Didactic SE CVE debrief
CVE-2021-21705 is a PHP URL-validation flaw that can accept an URL with an invalid password field as valid when filter_var() is used with FILTER_VALIDATE_URL. In affected environments, that can cause incorrect URL parsing and lead to integrity-impacting mistakes such as contacting the wrong server or making the wrong access decision.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Administrators and developers responsible for Festo Didactic SE MES PC deployments, especially any code or configuration that relies on PHP URL validation. Security teams should also care if URL parsing outcomes influence authentication, routing, allowlists, or other access decisions.
Technical summary
The issue affects PHP 7.3.x before 7.3.29, 7.4.x before 7.4.21, and 8.0.x before 8.0.8. When filter_var() is used with FILTER_VALIDATE_URL, an URL containing an invalid password field may still be accepted as valid. The practical risk is not direct code execution, but downstream logic errors from incorrect parsing. The CISA CSAF advisory maps the issue to Festo Didactic SE MES PC and notes a vendor replacement path: Factory Control Panel as a replacement for XAMPP on MES PCs.
Defensive priority
Medium
Recommended defensive actions
- Update PHP to a fixed release: 7.3.29, 7.4.21, or 8.0.8 (or later) wherever this validation path is used.
- Review any application logic that uses filter_var(..., FILTER_VALIDATE_URL) for security decisions, especially allowlists, redirects, server selection, and credential-bearing URLs.
- Do not rely on URL validation alone for trust decisions; separately parse and verify host, scheme, credentials, and destination as needed.
- For Festo Didactic MES PC environments, obtain the current Factory Control Panel replacement from Festo technical support as described in the advisory.
- Inventory deployments for XAMPP- or PHP-based components on MES PCs and confirm they are running fixed versions or the replacement component.
- Re-test workflows that consume validated URLs to ensure malformed password fields no longer change routing or access behavior.
Evidence notes
The supplied CISA CSAF source item (ICSA-26-027-02) states the flaw affects PHP versions below 7.3.29, 7.4.21, and 8.0.8 and describes the incorrect acceptance of an URL with an invalid password field. The same advisory ties the issue to Festo Didactic SE MES PC and includes a remediation entry dated 2023-05-26 describing Factory Control Panel as the replacement for XAMPP on MES PCs. The supplied timeline uses 2024-02-27 as the advisory publication date and 2026-01-27 as the republication/modified date; those are advisory timestamps, not the original flaw introduction date.
Official resources
-
CVE-2021-21705 CVE record
CVE.org
-
CVE-2021-21705 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory material in the supplied corpus is dated 2024-02-27, with a later CISA republication on 2026-01-27. The vendor remediation entry in the source notes a 2023-05-26 replacement release path. This debrief reflects only the facts