CVE-2022-4900 Festo Didactic SE CVE debrief

Who should care

Operators, administrators, and support teams responsible for Festo Didactic SE MES PC deployments, especially systems using the Factory Control Panel or any bundled PHP/XAMPP-based component referenced in the advisory. Security teams overseeing local administrative access on these systems should also review exposure.

Technical summary

The advisory describes a heap buffer overflow in PHP associated with the PHP_CLI_SERVER_WORKERS environment variable when set to an excessively large value. The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which points to a local issue requiring low privileges and resulting in high availability impact. CISA’s CSAF record links the vulnerability to Festo Didactic SE MES PC and states that Factory Control Panel was released as a replacement for XAMPP on MES PCs, with fixes included in the current version obtained through vendor support.

Defensive priority

Medium. The issue is publicly documented and has a vendor remediation path, but it is not listed as KEV and the published scoring indicates local access is needed. Prioritize if you manage affected MES PC systems or any environment where local users or service accounts can influence PHP runtime environment variables.

Recommended defensive actions

• Obtain the current Factory Control Panel version from Festo technical support and deploy the vendor fix on affected MES PCs.
• Review whether any local users, scripts, or service wrappers can set PHP_CLI_SERVER_WORKERS in the affected environment and restrict that control.
• Audit MES PC hosts for the presence of bundled PHP/XAMPP-related components referenced by the advisory and verify they are covered by the vendor replacement.
• Apply standard least-privilege controls so untrusted local accounts cannot influence application startup environment variables.
• Confirm remediation status through change management and document the affected product IDs and replacement version in asset records.

Evidence notes

CISA CSAF advisory ICSA-26-027-02 identifies CVE-2022-4900 for Festo Didactic SE MES PC and cites the issue as a PHP heap buffer overflow caused by setting PHP_CLI_SERVER_WORKERS to a large value. The advisory’s remediation section says Factory Control Panel is the replacement for XAMPP on MES PCs and that the current version includes fixes. The CVSS vector supplied in the advisory is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, supporting a local availability-focused impact assessment. Published date used here is 2024-02-27; later revision entries reflect advisory maintenance and republication, not the original CVE issue date.

Official resources