PatchSiren cyber security CVE debrief
CVE-2023-25690 Festo Didactic SE CVE debrief
CVE-2023-25690 is a critical HTTP request smuggling issue in Apache HTTP Server 2.4.0 through 2.4.55 when mod_proxy is paired with certain RewriteRule or ProxyPassMatch configurations that reinsert user-controlled URL data into a proxied request-target. In the Festo Didactic MES PC advisory, the vendor points users to a fixed Factory Control Panel replacement for XAMPP and recommends moving to a patched version to reduce exposure.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Administrators and engineers responsible for Apache HTTP Server reverse proxies, especially where mod_proxy is used with RewriteRule or ProxyPassMatch. Festo Didactic MES PC operators should also care if their deployment uses the vendor’s XAMPP-based stack or has not yet moved to the fixed Factory Control Panel.
Technical summary
The advisory describes a request smuggling condition in Apache HTTP Server when mod_proxy is enabled and a non-specific pattern matches part of the user-supplied request-target, then variable substitution inserts that data back into the proxied target. The result can be request splitting/smuggling with impacts including access-control bypass in the proxy, proxying unintended URLs to origin servers, and cache poisoning. The CVSS vector is 9.8/Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Defensive priority
Immediate. Prioritize any environment running Apache HTTP Server 2.4.0-2.4.55 with mod_proxy plus rewrite or proxy-match rules that substitute user-controlled URL components, and validate any Festo MES PC deployment against the vendor-fixed replacement.
Recommended defensive actions
- Inventory Apache HTTP Server and Festo MES PC deployments that use mod_proxy, RewriteRule, or ProxyPassMatch.
- Upgrade Apache HTTP Server to version 2.4.56 or later where feasible.
- For Festo MES PCs, obtain the current Factory Control Panel version from Festo support as the vendor-recommended replacement for XAMPP.
- Review and simplify reverse-proxy rules so user-supplied request-target data is not reinserted into proxied request-targets via variable substitution.
Evidence notes
The supplied CISA CSAF advisory (ICSA-26-027-02) ties CVE-2023-25690 to Festo Didactic SE MES PC and describes the vulnerable Apache HTTP Server behavior in mod_proxy configurations. The advisory states affected Apache versions are 2.4.0 through 2.4.55 and recommends updating to at least 2.4.56. The remediation section states that Festo released Factory Control Panel as a replacement for XAMPP on MES PCs and directs customers to Festo support for the fixed version.
Official resources
-
CVE-2023-25690 CVE record
CVE.org
-
CVE-2023-25690 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2024-02-27 in the CVE and CISA advisory record. The supplied source record shows a later CISA republication on 2026-01-27, which is not the vulnerability issue date. The advisory window covers Apache HTTP Server 2.4.0-