CVE-2015-2301 Festo Didactic SE CVE debrief

Who should care

Administrators and engineers responsible for Festo Didactic SE MES PC systems, especially any deployment that includes bundled PHP/XAMPP components or web-facing services. Security teams should also care if they manage legacy PHP 5.5.x or 5.6.x environments that may still be exposed to Phar-related inputs.

Technical summary

The vulnerability is a use-after-free in phar_rename_archive within phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6. The trigger described in the advisory is an attempted rename of a Phar archive to the name of an existing file. The source advisory ties the CVE to Festo Didactic SE MES PC and notes a vendor replacement path: Factory Control Panel instead of XAMPP.

Defensive priority

Critical; treat as urgent remediation for any affected MES PC or PHP/XAMPP deployment. The CVSS 3.0 vector provided is network-reachable, unauthenticated, no-user-interaction, with high confidentiality, integrity, and availability impact.

Recommended defensive actions

• Replace XAMPP with the current Factory Control Panel version provided by Festo Didactic SE.
• Contact Festo technical support at [email protected] to obtain the current fixed version.
• Inventory MES PC installations and confirm whether they include vulnerable PHP versions or embedded XAMPP components.
• Verify PHP is not older than 5.5.22 or 5.6.6 in any exposed or embedded deployment.
• Restrict access to affected services until the fixed vendor package is deployed and validated.

Evidence notes

All factual claims here are limited to the supplied CSAF advisory text and its listed references. The advisory description explicitly names the PHP use-after-free, the affected version ranges, the remote impact, and the vendor remediation path. No exploit details or unsupported root-cause expansion were added.

Official resources