PatchSiren

PatchSiren cyber security CVE debrief

CVE-2021-27928 Festo Didactic SE CVE debrief

CVE-2021-27928 is a high-severity remote code execution issue that the supplied CISA CSAF advisory maps to Festo Didactic SE MES PC. The advisory text describes an untrusted search path leading to eval injection in MariaDB/Percona/wsrep-related components, where a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. Festo’s remediation entry in the source corpus says Factory Control Panel replaces XAMPP on MES PCs and includes fixes. Because the vulnerability description names upstream database components and specific version ranges, operators should validate whether their MES PC deployment actually includes the affected software before treating the appliance as exposed.

Vendor
Festo Didactic SE
Product
MES PC
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2024-02-27
Original CVE updated
2026-01-27
Advisory published
2024-02-27
Advisory updated
2026-01-27

Who should care

Festo Didactic SE MES PC operators, OT/ICS administrators, database administrators with SUPER privileges on affected systems, and security teams responsible for appliances that bundle MariaDB, Percona Server, or wsrep components.

Technical summary

The advisory describes an RCE path with CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. Exploitation requires high privileges: a database SUPER user must be able to change wsrep_provider and wsrep_notify_cmd, after which an untrusted search path can lead to eval injection and OS command execution. The source corpus ties the issue to MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9, plus Percona Server and wsrep patch states referenced in the description. For Festo, the documented fix is to move to the Factory Control Panel replacement for XAMPP and obtain the current version through technical support.

Defensive priority

High for any MES PC deployment that includes the affected MariaDB/Percona/wsrep/XAMPP components; otherwise, validate component inventory first and prioritize based on whether SUPER-level configuration changes are possible.

Recommended defensive actions

  • Inventory MES PC systems and confirm whether the affected MariaDB/Percona/wsrep or XAMPP components are present and at vulnerable versions.
  • If applicable, obtain and deploy the current Factory Control Panel version from Festo support, as referenced in the advisory remediation.
  • Restrict who can obtain SUPER privileges and who can modify wsrep_provider and wsrep_notify_cmd.
  • Review database service account execution paths and harden search path settings to reduce the chance of eval injection.
  • Monitor for unexpected OS command execution or configuration changes on MES PC hosts and apply CISA ICS defensive guidance referenced by the advisory.

Evidence notes

The debrief is based only on the supplied CISA CSAF source item (ICSA-26-027-02) and its listed references. The source ties CVE-2021-27928 to Festo Didactic SE MES PC, while the description itself names upstream MariaDB/Percona/wsrep affected versions and the SUPER-user prerequisite. The remediation entry states that Factory Control Panel replaces XAMPP on MES PCs and that the current version includes fixes. The supplied enrichment shows no KEV entry and no known ransomware campaign use. Timing context used here follows the supplied CVE publishedAt date of 2024-02-27 and source modifiedAt date of 2026-01-27; the remediation date in the source corpus is 2023-05-26.

Official resources

CVE-2021-27928 is published in this source corpus with a preferred display date of 2024-02-27. The CISA source item was later modified/republished on 2026-01-27, and the remediation entry recorded in the advisory is dated 2023-05-26. The c