PatchSiren cyber security CVE debrief
CVE-2023-0567 Festo Didactic SE CVE debrief
CVE-2023-0567 describes a PHP password verification weakness that can matter in Festo Didactic SE MES PC deployments when affected PHP versions and malformed Blowfish hashes are present. In PHP 8.0.x before 8.0.28, 8.1.x before 8.1.16, and 8.2.x before 8.2.3, password_verify() may accept some invalid Blowfish hashes as valid. If one of those invalid hashes is stored in a password database, an application may treat any password as correct for that account.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Operators and administrators responsible for Festo Didactic SE MES PC systems, especially environments using the affected Factory Control Panel/XAMPP stack or any deployment that relies on the vulnerable PHP versions for authentication.
Technical summary
The underlying issue is in PHP’s password_verify() handling of certain malformed Blowfish hashes. When an invalid hash is present in a password database, the function may return success in cases where it should reject the hash. The practical effect is authentication bypass for the affected account if such a hash exists. The advisory references PHP fixes for 8.0.28, 8.1.16, and 8.2.3.
Defensive priority
Medium. The flaw is conditional on a malformed hash already being present, but the impact can be severe for affected accounts because it may allow unintended authentication success.
Recommended defensive actions
- Obtain the current Factory Control Panel version from Festo technical support and deploy the vendor-fixed release referenced in the advisory.
- Confirm that all deployed PHP instances are at or above 8.0.28, 8.1.16, or 8.2.3, as applicable.
- Review password databases for any malformed or unexpected Blowfish hashes and reset or rehash affected credentials.
- Audit authentication logs for unusual successful logins tied to accounts that may have stored legacy hashes.
- Follow CISA and vendor guidance for industrial control system hardening and defense-in-depth practices.
Evidence notes
This debrief is based on the CISA CSAF republication for Festo Didactic SE MES PC (ICSA-26-027-02) and its linked vendor references. The source description explicitly states the PHP password_verify() issue and affected versions. The remediation entry states that Festo released Factory Control Panel as a replacement for XAMPP on MES PCs and that the current version includes fixes. Timing context follows the CVE published date provided in the corpus (2024-02-27), while the 2026-01-27 CISA republication is treated only as a later advisory update.
Official resources
-
CVE-2023-0567 CVE record
CVE.org
-
CVE-2023-0567 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published in the supplied corpus with CVE date 2024-02-27. The source item shows the initial advisory version on 2024-02-27 and a later CISA republication on 2026-01-27; this debrief uses the CVE published date for issue timing.