Advisory

Festo Didactic SE MES PCs Vulnerable to 140 Security Flaws via XAMPP

Take action: If you have Festo Didactic MES PC systems, make sure all devices are isolated from the internet and accessible from trusted networks only. Contact Festo Didactic at services.didactic@festo.com immediately to get the Factory Control Panel replacement that fixes all 140 vulnerabilities in the outdated XAMPP installation.

Learn More

Festo Didactic has is reporting a significant security issue affecting MES PC systems shipped with Windows 10, which come pre-installed with XAMPP, a bundle of third-party open-source applications including the Apache HTTP Server and MariaDB database. 

The advisory, released on January 27, 2026, reports that these systems contain approximately 140 known security vulnerabilities spanning multiple components including PHP, MariaDB, Apache HTTP Server, and phpMyAdmin. These vulnerabilities range could expose industrial control systems and educational environments to unauthorized access, data manipulation, and denial-of-service attacks.

Vulnerabilities summary:

Critical Severity:

  • CVE-2019-11049 (CVSS score 9.8) - Double Free
  • CVE-2015-2301 (CVSS score 9.8) - Use After Free
  • CVE-2019-11043 (CVSS score 9.8) - Buffer Overflow
  • CVE-2019-9025 (CVSS score 9.8) - Out-of-bounds Write
  • CVE-2015-2787 (CVSS score 9.8) - Use After Free
  • CVE-2019-9021 (CVSS score 9.8) - Out-of-bounds Read
  • CVE-2023-25690 (CVSS score 9.8) - HTTP Request Smuggling
  • CVE-2016-3078 (CVSS score 9.8) - Integer Overflow
  • CVE-2014-9705 (CVSS score 9.8) - Improper Restriction of Memory Buffer Operations
  • CVE-2019-9020 (CVSS score 9.8) - Out-of-bounds Read
  • CVE-2019-9023 (CVSS score 9.8) - Out-of-bounds Read
  • CVE-2021-21708 (CVSS score 9.8) - Use After Free
  • CVE-2018-12882 (CVSS score 9.8) - Use After Free
  • CVE-2019-9641 (CVSS score 9.8) - Use of Uninitialized Resource
  • CVE-2019-11036 (CVSS score 9.1) - Buffer Over-read
  • CVE-2019-11039 (CVSS score 9.1) - Out-of-bounds Read
  • CVE-2019-11035 (CVSS score 9.1) - Out-of-bounds Read
  • CVE-2020-7059 (CVSS score 9.1) - Out-of-bounds Read
  • CVE-2014-9709 (CVSS score 9.1) - Improper Restriction of Memory Buffer Operations
  • CVE-2019-11034 (CVSS score 9.1) - Out-of-bounds Read
  • CVE-2020-7061 (CVSS score 9.1) - Out-of-bounds Read
  • CVE-2019-11040 (CVSS score 9.1) - Out-of-bounds Read
  • CVE-2020-7060 (CVSS score 9.1) - Out-of-bounds Read
  • CVE-2022-36760 (CVSS score 9.0) - HTTP Request Smuggling

High Severity:

  • CVE-2022-31626 (CVSS score 8.8) - Buffer Overflow
  • CVE-2020-7065 (CVSS score 8.8) - Stack-based Buffer Overflow
  • CVE-2013-6501 (CVSS score 8.8) - Injection
  • CVE-2023-0568 (CVSS score 8.1) - Incorrect Calculation of Buffer Size
  • CVE-2022-31625 (CVSS score 8.1) - Free of Memory not on the Heap
  • CVE-2016-5385 (CVSS score 8.1) - URL Redirection to Untrusted Site
  • CVE-2022-32083 (CVSS score 7.5) - Improper Handling of Values
  • CVE-2018-19518 (CVSS score 7.5) - Argument Injection
  • CVE-2022-32084 (CVSS score 7.5) - Improper Handling of Values
  • CVE-2022-32088 (CVSS score 7.5) - Improper Handling of Values
  • CVE-2022-27377 (CVSS score 7.5) - Use After Free
  • CVE-2019-9638 (CVSS score 7.5) - Out-of-bounds Read
  • CVE-2019-11044 (CVSS score 7.5) - Improper Null Termination
  • CVE-2022-27458 (CVSS score 7.5) - Use After Free
  • CVE-2022-27452 (CVSS score 7.5) - Reachable Assertion
  • CVE-2022-27387 (CVSS score 7.5) - Buffer Overflow
  • CVE-2022-27376 (CVSS score 7.5) - Use After Free
  • CVE-2022-27445 (CVSS score 7.5) - Improper Input Validation
  • CVE-2022-27457 (CVSS score 7.5) - Use After Free
  • CVE-2022-27384 (CVSS score 7.5) - SQL Injection
  • CVE-2022-27379 (CVSS score 7.5) - SQL Injection
  • CVE-2019-9637 (CVSS score 7.5) - Incorrect Privilege Assignment
  • CVE-2022-32091 (CVSS score 7.5) - Use After Free
  • CVE-2022-27444 (CVSS score 7.5) - SQL Injection
  • CVE-2018-14883 (CVSS score 7.5) - Out-of-bounds Read
  • CVE-2022-27382 (CVSS score 7.5) - Reachable Assertion
  • CVE-2022-27447 (CVSS score 7.5) - Use After Free
  • CVE-2022-27446 (CVSS score 7.5) - Reachable Assertion
  • CVE-2022-27386 (CVSS score 7.5) - SQL Injection
  • CVE-2019-9639 (CVSS score 7.5) - Missing Initialization of Resource
  • CVE-2022-27385 (CVSS score 7.5) - SQL Injection
  • CVE-2023-0662 (CVSS score 7.5) - Uncontrolled Resource Consumption
  • CVE-2022-32089 (CVSS score 7.5) - Improper Handling of Values
  • CVE-2021-46669 (CVSS score 7.5) - Use After Free
  • CVE-2022-27383 (CVSS score 7.5) - Use After Free
  • CVE-2022-32087 (CVSS score 7.5) - Improper Handling of Values
  • CVE-2019-9640 (CVSS score 7.5) - Out-of-bounds Read
  • CVE-2022-27456 (CVSS score 7.5) - Use After Free
  • CVE-2022-27455 (CVSS score 7.5) - Use After Free
  • CVE-2023-27522 (CVSS score 7.5) - HTTP Request Smuggling
  • CVE-2022-32086 (CVSS score 7.5) - Improper Handling of Values
  • CVE-2022-32085 (CVSS score 7.5) - Improper Handling of Values
  • CVE-2021-21702 (CVSS score 7.5) - NULL Pointer Dereference
  • CVE-2019-9024 (CVSS score 7.5) - Out-of-bounds Read
  • CVE-2022-27449 (CVSS score 7.5) - Reachable Assertion
  • CVE-2022-32081 (CVSS score 7.5) - Use After Free
  • CVE-2022-27378 (CVSS score 7.5) - SQL Injection
  • CVE-2006-20001 (CVSS score 7.5) - Out-of-bounds Write
  • CVE-2018-19935 (CVSS score 7.5) - NULL Pointer Dereference
  • CVE-2022-27380 (CVSS score 7.5) - SQL Injection
  • CVE-2022-27381 (CVSS score 7.5) - SQL Injection
  • CVE-2022-27451 (CVSS score 7.5) - Improper Use of Validation Framework
  • CVE-2022-32082 (CVSS score 7.5) - Reachable Assertion
  • CVE-2019-9022 (CVSS score 7.5) - Out-of-bounds Read
  • CVE-2021-27928 (CVSS score 7.2) - Code Injection
  • CVE-2021-2144 (CVSS score 7.2) - Improper Input Validation
  • CVE-2019-11042 (CVSS score 7.1) - Out-of-bounds Read
  • CVE-2019-11041 (CVSS score 7.1) - Out-of-bounds Read
  • CVE-2021-21703 (CVSS score 7.0) - Out-of-bounds Write

Medium Severity:

  • CVE-2020-7069 (CVSS score 6.5) - Improper Input Validation
  • CVE-2021-21706 (CVSS score 6.5) - Path Traversal
  • CVE-2019-11047 (CVSS score 6.5) - Out-of-bounds Read
  • CVE-2019-11050 (CVSS score 6.5) - Out-of-bounds Read
  • CVE-2020-2780 (CVSS score 6.5) - Uncontrolled Resource Consumption
  • CVE-2022-31629 (CVSS score 6.5) - Improper Input Validation
  • CVE-2023-0567 (CVSS score 6.2) - Use of Password Hash With Insufficient Computational Effort
  • CVE-2022-23808 (CVSS score 6.1) - Cross-site Scripting
  • CVE-2018-17082 (CVSS score 6.1) - Cross-site Scripting
  • CVE-2021-2011 (CVSS score 5.9) - Improper Input Validation
  • CVE-2019-11045 (CVSS score 5.9) - Improper Null Termination
  • CVE-2021-21704 (CVSS score 5.9) - Out-of-bounds Read
  • CVE-2021-2389 (CVSS score 5.9) - Improper Input Validation
  • CVE-2021-46668 (CVSS score 5.5) - Uncontrolled Resource Consumption
  • CVE-2020-2760 (CVSS score 5.5) - Improper Input Validation
  • CVE-2021-46666 (CVSS score 5.5) - Reachable Assertion
  • CVE-2018-14851 (CVSS score 5.5) - Out-of-bounds Read
  • CVE-2021-46663 (CVSS score 5.5) - Improper Input Validation
  • CVE-2021-46661 (CVSS score 5.5) - Improper Input Validation
  • CVE-2021-46665 (CVSS score 5.5) - Improper Input Validation
  • CVE-2022-31628 (CVSS score 5.5) - Uncontrolled Recursion
  • CVE-2021-46662 (CVSS score 5.5) - Improper Input Validation
  • CVE-2021-46664 (CVSS score 5.5) - NULL Pointer Dereference
  • CVE-2022-4900 (CVSS score 5.5) - Improper Restriction of Memory Buffer Operations
  • CVE-2021-46667 (CVSS score 5.5) - Integer Overflow
  • CVE-2021-35604 (CVSS score 5.5) - Improper Input Validation
  • CVE-2023-25727 (CVSS score 5.4) - Cross-site Scripting
  • CVE-2020-7064 (CVSS score 5.4) - Out-of-bounds Read
  • CVE-2020-7071 (CVSS score 5.3) - Improper Input Validation
  • CVE-2020-2752 (CVSS score 5.3) - Improper Input Validation
  • CVE-2021-21705 (CVSS score 5.3) - Improper Input Validation
  • CVE-2019-11046 (CVSS score 5.3) - Out-of-bounds Read
  • CVE-2020-7070 (CVSS score 5.3) - Improper Input Validation
  • CVE-2020-7063 (CVSS score 5.3) - Improper Preservation of Permissions
  • CVE-2022-37436 (CVSS score 5.3) - HTTP Request/Response Splitting
  • CVE-2021-21707 (CVSS score 5.3) - Improper Handling of Invalid Use of Special Elements
  • CVE-2019-11048 (CVSS score 5.3) - Uncontrolled Resource Consumption
  • CVE-2021-2194 (CVSS score 4.9) - Improper Input Validation
  • CVE-2021-2166 (CVSS score 4.9) - Improper Input Validation
  • CVE-2020-2814 (CVSS score 4.9) - Improper Input Validation
  • CVE-2021-2180 (CVSS score 4.9) - Improper Input Validation
  • CVE-2020-2812 (CVSS score 4.9) - Improper Input Validation
  • CVE-2021-2154 (CVSS score 4.9) - Improper Input Validation
  • CVE-2021-2372 (CVSS score 4.4) - Improper Input Validation
  • CVE-2021-2022 (CVSS score 4.4) - Improper Input Validation
  • CVE-2022-21595 (CVSS score 4.4) - Improper Input Validation
  • CVE-2021-2174 (CVSS score 4.4) - Improper Input Validation
  • CVE-2021-2032 (CVSS score 4.3) - Improper Input Validation
  • CVE-2022-23807 (CVSS score 4.3) - Improper Authentication
  • CVE-2020-7066 (CVSS score 4.3) - Improper Null Termination

Low Severity:

  • CVE-2020-2922 (CVSS score 3.7) - Exposure of Sensitive Information
  • CVE-2021-2007 (CVSS score 3.7) - Improper Input Validation
  • CVE-2020-7068 (CVSS score 3.6) - Use After Free

The affected product is Festo Didactic SE MES PC shipped with Windows 10, which is primarily used in educational and training environments for industrial control systems. 

Given that MES PCs are intended for didactic purposes in controlled laboratory environments separate from production systems, the actual impact is somewhat mitigated; however, the sheer number of vulnerabilities presents significant security risks if these systems are connected to networks or used in environments with sensitive data.

Festo Didactic has released a remediation solution by developing the Factory Control Panel application as a replacement for the vulnerable XAMPP installation. 

Users are advised to contact Festo Didactic technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel, which addresses all 140 vulnerabilities listed in the advisory. The vendor emphasizes that while the MES PCs are designed for educational use in controlled environments, proper security measures should still be implemented, including network segmentation, firewall protection, and limiting internet exposure of these systems.

Users should minimize network exposure for all control system devices, ensure they are not accessible from the internet, and locate these systems behind firewalls isolated from business networks. When remote access is required, organizations should use secure methods such as Virtual Private Networks (VPNs), while recognizing that VPNs should be kept updated to the most current versions.

Festo Didactic SE MES PCs Vulnerable to 140 Security Flaws via XAMPP
Read More
Combining MS SharePoint Server flaws achieve Remote Code …
Progress Telerik fixes another critical issue in Report …
Bitdefender Total Security fixes multiple flaws classified as …
Critical VMware vulnerabilities enable Virtual Machine escape, host …
CISA reports active exploitation of Cross-Site Scripting flaw …