PatchSiren cyber security CVE debrief
CVE-2021-2389 Festo Didactic SE CVE debrief
The supplied advisory corpus describes a medium-severity denial-of-service issue tied to Oracle MySQL Server's InnoDB component. It says an unauthenticated attacker with network access via multiple protocols could cause a hang or frequently repeatable crash, resulting in complete denial of service. The source advisory is associated with Festo Didactic SE's MES PC product tree entry, and the published remediation points to a replacement Factory Control Panel release from Festo. No KEV listing is included in the supplied enrichment.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Operators and maintainers of Festo MES PC deployments, especially any environment that uses the affected Factory Control Panel or embedded MySQL components, plus teams responsible for network-exposed MySQL services in industrial or lab systems.
Technical summary
According to the supplied source text, the vulnerability affects Oracle MySQL Server InnoDB on supported versions 5.7.34 and earlier and 8.0.25 and earlier. The attack requires network access, does not require authentication, and is described as difficult to exploit. The impact is availability-only: a hang or repeatable crash of MySQL Server. The advisory references CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H with a score of 5.9. The CSAF remediation entry states that Festo released Factory Control Panel as a replacement for XAMPP on MES PCs and that the current version includes fixes.
Defensive priority
Medium. Treat as a service-availability risk that can disrupt MES PC operation or any dependent workflow. Prioritize remediation where the affected component is network reachable or part of production control tooling.
Recommended defensive actions
- Identify MES PC systems and any deployments that include the affected Factory Control Panel or embedded MySQL components described in the advisory.
- Apply the current Factory Control Panel version obtained through Festo support as directed in the remediation entry.
- Review whether the affected MySQL service is network exposed and restrict access to trusted hosts and required protocols only.
- Validate that patched systems no longer run the vulnerable versions referenced in the advisory and document the upgrade state.
- Monitor for hangs, repeated crashes, or service restarts affecting MySQL Server on MES PC systems.
Evidence notes
This debrief is based only on the supplied CSAF source item, its embedded remediation and reference metadata, and the official CVE/NVD links listed in the corpus. The advisory text explicitly states the impacted MySQL versions, the unauthenticated network attack precondition, and the availability impact. The source metadata also records the advisory publication date as 2024-02-27 and a CISA republication on 2026-01-27; the vendor remediation date shown in the corpus is 2023-05-26 and should be treated as remediation context, not the CVE issue date. The source references include a CWE-20 link, but the corpus excerpt does not provide a separate CWE mapping beyond that reference.
Official resources
-
CVE-2021-2389 CVE record
CVE.org
-
CVE-2021-2389 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The supplied source corpus indicates the advisory was originally published on 2024-02-27 and republished by CISA on 2026-01-27. The remediation entry in the corpus points to a Festo support-provided Factory Control Panel release dated 2023-