CVE-2021-46661 Festo Didactic SE CVE debrief

Who should care

Operators and support teams responsible for Festo Didactic SE MES PC systems, especially environments that still rely on the affected MariaDB/XAMPP-based stack and have local engineering or administrative access paths.

Technical summary

The supplied advisory data identifies a crash in MariaDB query resolution functions find_field_in_tables and find_order_in_list triggered by an unused CTE. The CVSS vector in the source is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which indicates a local, low-privilege denial-of-service issue with no confidentiality or integrity impact and high availability impact. The source corpus does not describe code execution, persistence, or remote exploitation details.

Defensive priority

Medium

Recommended defensive actions

• Confirm whether MES PC deployments use the affected MariaDB/XAMPP-based software stack.
• Obtain and deploy the current Factory Control Panel version from Festo technical support, as noted in the advisory remediation.
• Restrict local database and engineering access to trusted users only, since the CVSS vector requires local privileges.
• Test service recovery procedures so a database or application crash does not interrupt operations longer than necessary.
• Monitor the official CISA and Festo advisory links for any follow-up guidance or revised remediation notes.

Evidence notes

Evidence comes from the CISA CSAF advisory for Festo Didactic SE MES PC and the linked official records. The source states: 'MariaDB through 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE).' The remediation section says Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs and includes fixes for these vulnerabilities. The provided CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Official resources