CVE-2021-35604 Festo Didactic SE CVE debrief

Who should care

Festo Didactic SE MES PC operators, OT/ICS administrators, and support teams responsible for systems that include the affected MySQL/InnoDB component or the Factory Control Panel/XAMPP replacement path.

Technical summary

The CISA CSAF advisory for Festo Didactic SE MES PC maps CVE-2021-35604 to Oracle MySQL Server’s InnoDB component. The advisory states that MySQL 5.7.35 and earlier and 8.0.26 and earlier are affected. Successful exploitation by a high-privilege network attacker over multiple protocols can lead to a hang or frequently repeatable crash (complete DoS) and limited unauthorized insert, update, or delete access to accessible data. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H.

Defensive priority

Medium. The attack requires high privileges but is network reachable and can affect availability and integrity, which is significant for MES/OT environments.

Recommended defensive actions

• Identify whether any Festo MES PC deployments still include the vulnerable MySQL/InnoDB versions noted in the advisory.
• Obtain and deploy the current Factory Control Panel version referenced by Festo support.
• Confirm asset inventory and configuration for MES PCs, including any XAMPP or embedded MySQL components.
• Restrict administrative access and network paths to the affected service while remediation is scheduled.
• Validate after update that the MySQL service no longer matches the affected version ranges.

Evidence notes

CISA’s advisory ICSA-26-027-02, republished from the Festo advisory lineage, lists CVE-2021-35604 for Festo Didactic SE MES PC and describes Oracle MySQL Server/InnoDB impact, affected versions, the CVSS vector, and the vendor remediation path via Factory Control Panel. The source revision history shows the initial advisory date of 2024-02-27 and a later CISA republication on 2026-01-27; the remediation entry is dated 2023-05-26.

Official resources