PatchSiren cyber security CVE debrief
CVE-2021-21706 Festo Didactic SE CVE debrief
CVE-2021-21706 describes a Windows-specific PHP ZipArchive::extractTo weakness that can allow files from a ZIP archive to be written outside the intended extraction directory. In Festo Didactic SE MES PC advisories, this matters because the affected deployment context can expose integrity risk on systems handling untrusted archives, especially where OS permissions allow overwrite or file creation.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Organizations running Festo Didactic SE MES PC deployments on Windows, especially if they use the affected PHP releases (7.3.x below 7.3.31, 7.4.x below 7.4.24, or 8.0.x below 8.0.11) and process ZIP files from users or external sources.
Technical summary
The advisory source states that on Microsoft Windows, PHP ZipArchive::extractTo may be tricked into writing a file outside the target directory while extracting a ZIP file. The impact is integrity-focused: files may be created or overwritten, subject to OS permissions. The issue is described for PHP 7.3.x < 7.3.31, 7.4.x < 7.4.24, and 8.0.x < 8.0.11. Festo Didactic's remediation notes point to Factory Control Panel as the replacement for XAMPP on MES PCs, with fixes included in the current version obtained via technical support.
Defensive priority
Medium priority. Treat as high relevance if MES PC systems run affected PHP versions on Windows and extract archives from untrusted or semi-trusted sources.
Recommended defensive actions
- Confirm whether MES PC systems use affected PHP versions on Windows and inventory any ZIP extraction workflows.
- Upgrade to a fixed PHP release where applicable: 7.3.31, 7.4.24, or 8.0.11 or later.
- Follow Festo Didactic guidance to obtain the current Factory Control Panel version that includes fixes, using [email protected] as directed in the remediation note.
- Restrict which users and services can process ZIP files and minimize write permissions on target directories.
- Monitor for unexpected file creation or overwrite events around archive extraction paths.
- Treat ZIP archives from external or user-controlled sources as untrusted and validate extraction behavior in a test environment before rollout.
Evidence notes
CISA CSAF advisory ICSA-26-027-02 for Festo Didactic SE MES PC cites CVE-2021-21706 and states the issue affects PHP 7.3.x below 7.3.31, 7.4.x below 7.4.24, and 8.0.x below 8.0.11 on Microsoft Windows, where ZipArchive::extractTo may write outside the target directory. The remediation entry says Factory Control Panel replaces XAMPP on MES PCs and includes fixes. The source advisory was published on 2024-02-27 and republished on 2026-01-27; those dates describe advisory handling, not the original vulnerability discovery date.
Official resources
-
CVE-2021-21706 CVE record
CVE.org
-
CVE-2021-21706 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2024-02-27 and republished it on 2026-01-27; the supplied source record is dated 2024-02-27.