CVE-2022-27376 Festo Didactic SE CVE debrief

Who should care

Festo MES PC operators, industrial/lab administrators, and defenders responsible for hosts that still use XAMPP or other bundled MariaDB components.

Technical summary

The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates unauthenticated network exploitation with availability impact only. The vulnerable code path is Item_args::walk_arg, where crafted SQL can trigger a use-after-free and lead to service disruption or crash. The supplied corpus does not include proof-of-concept details, exploitation telemetry, or KEV inclusion.

Defensive priority

High for any exposed MES PC instance that still uses the vulnerable stack; prioritize inventory and vendor-supplied replacement because exploitation requires no privileges or user interaction. Since it is not listed in the supplied KEV data, treat it as a fix-now operational risk rather than a known-exploited item.

Recommended defensive actions

• Inventory all Festo Didactic MES PC deployments and identify whether XAMPP or the affected MariaDB component is present.
• Install the vendor-recommended Factory Control Panel version obtained through Festo technical support, per the advisory, and verify the replacement is current.
• Reduce network exposure for affected hosts until remediation is complete, and monitor for anomalous SQL activity or service instability.
• After remediation, confirm the vulnerable component version is no longer present and document the update for asset records.

Evidence notes

Source evidence comes from CISA's republished CSAF advisory for Festo Didactic SE MES PC (ICSA-26-027-02 / CVE-2022-27376), which cites the MariaDB use-after-free and lists a vendor remediation replacing XAMPP with Factory Control Panel. The corpus shows publication on 2024-02-27 and does not show KEV inclusion.

Official resources