PatchSiren cyber security CVE debrief
CVE-2022-31625 Festo Didactic SE CVE debrief
CVE-2022-31625 describes a memory-safety flaw in PHP’s PostgreSQL extension that can be triggered by invalid parameters in a parameterized query. In the supplied Festo MES PC advisory context, the issue is treated as high severity because it may lead to denial of service and, in the worst case, remote code execution. The affected PHP ranges are 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7. Festo’s remediation guidance points to a replacement Factory Control Panel version for MES PCs.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Organizations running Festo Didactic MES PC deployments, especially those that include PHP with the PostgreSQL extension or rely on the bundled Factory Control Panel/XAMPP stack, should review exposure. Industrial and OT environments that cannot tolerate application crashes or service interruption should prioritize validation and patching.
Technical summary
The advisory says that when PHP uses the PostgreSQL database extension, supplying invalid parameters to a parameterized query may cause PHP to free memory using uninitialized data as pointers. That kind of memory misuse can destabilize the process, producing a denial of service and potentially enabling remote code execution. The supplied advisory associates the issue with PHP 7.4.x < 7.4.30, 8.0.x < 8.0.20, and 8.1.x < 8.1.7, and links the vendor-side fix to a newer Factory Control Panel release for MES PCs.
Defensive priority
High. The CVSS score is 8.1 and the impact includes possible RCE and DoS. Prioritize systems that expose the affected PHP/PostgreSQL path in production MES PC environments.
Recommended defensive actions
- Confirm whether the MES PC deployment uses an affected PHP release and the PostgreSQL extension.
- Upgrade to a fixed PHP version or install the current Festo Factory Control Panel version that includes the relevant fixes.
- Validate whether any application components issue parameterized PostgreSQL queries with malformed or unexpected parameters.
- Restrict network and application access to the MES PC and its database interfaces to reduce exposure while remediation is underway.
- Monitor affected hosts for PHP crashes, service instability, and other signs of memory-safety failures.
- Plan maintenance windows and test updates in a non-production environment before broad rollout.
Evidence notes
The supplied source states: “In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.” The same advisory ties Festo Didactic SE MES PC to a replacement Factory Control Panel release as the vendor fix path. The supplied enrichment marks this as not in CISA KEV.
Official resources
-
CVE-2022-31625 CVE record
CVE.org
-
CVE-2022-31625 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA CSAF source publication date: 2024-02-27; source republication noted on 2026-01-27. No KEV entry is present in the supplied data.