PatchSiren cyber security CVE debrief
CVE-2021-21708 Festo Didactic SE CVE debrief
CVE-2021-21708 is a critical use-after-free in PHP’s FILTER_VALIDATE_FLOAT handling when min/max limits are used and the filter fails. In the supplied Festo Didactic SE advisory context, this issue is mapped to MES PC systems that relied on the affected PHP/XAMPP stack. The documented remediation is to move MES PC deployments to Festo’s Factory Control Panel replacement, which the advisory says includes fixes.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
MES PC administrators and OT/industrial-control operators using Festo Didactic SE systems, especially where bundled PHP components are present. Also relevant to any defender running PHP 7.4.x below 7.4.28, 8.0.x below 8.0.16, or 8.1.x below 8.1.3 in code paths that call FILTER_VALIDATE_FLOAT with min/max limits.
Technical summary
The issue is a memory-safety bug in PHP filter validation. When FILTER_VALIDATE_FLOAT is used with min/max constraints and validation fails, freed memory may be referenced again, producing use-after-free behavior (CWE-416). The supplied advisory states this can crash the process and may allow overwrite of other memory chunks, with potential RCE. The affected version ranges in the corpus are PHP 7.4.x before 7.4.28, 8.0.x before 8.0.16, and 8.1.x before 8.1.3.
Defensive priority
Immediate. The attack surface is network-reachable in the CVSS vector (AV:N, PR:N, UI:N) and the impact rating is high for confidentiality, integrity, and availability (9.8/Critical). Prioritize any MES PC deployment that still includes the vulnerable PHP path, and remediate before normal maintenance cycles.
Recommended defensive actions
- Confirm whether any Festo MES PC deployment uses the vulnerable PHP component path or bundled XAMPP stack described in the advisory.
- Upgrade to the vendor-provided replacement: Factory Control Panel, as referenced in the Festo remediation guidance.
- Where PHP is independently managed, ensure versions are at least 7.4.28, 8.0.16, or 8.1.3, or newer.
- Review application code for FILTER_VALIDATE_FLOAT usage with min/max limits and remove or refactor that dependency where practical.
- Validate that exposed MES PC services are segmented and limited to required hosts while remediation is in progress.
- Follow CISA ICS recommended practices and standard defense-in-depth controls for industrial environments.
Evidence notes
The source corpus is a CISA CSAF republication of Festo advisory ICSA-26-027-02 for Festo Didactic SE MES PC, with CVE-2021-21708 named explicitly. The corpus describes the PHP version ranges, the FILTER_VALIDATE_FLOAT/min-max failure condition, the use-after-free behavior, and the documented remediation to Factory Control Panel. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The timeline indicates the CVE published date is 2024-02-27 and the record was later modified on 2026-01-27; those are timing context only, not separate issue dates.
Official resources
-
CVE-2021-21708 CVE record
CVE.org
-
CVE-2021-21708 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
This debrief uses the supplied CVE published date of 2024-02-27 and notes the later 2026-01-27 modification timestamp only as record context. The Festo remediation entry in the corpus is dated 2023-05-26 and describes Factory Control Panel,