CVE-2015-2787 Festo Didactic SE CVE debrief

Who should care

Security teams responsible for PHP deployments in the affected 5.4.x, 5.5.x, and 5.6.x branches, and operators of Festo Didactic SE MES PC systems that rely on the vendor-provided software stack referenced in the source advisory.

Technical summary

The advisory describes a use-after-free in process_nested_data within ext/standard/var_unserializer.re. A crafted unserialize call that interacts with unset inside an __wakeup function can trigger memory corruption, which the source characterizes as remotely exploitable code execution risk. The supplied CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

Critical

Recommended defensive actions

• Upgrade PHP to a fixed release at or above 5.4.39, 5.5.23, or 5.6.7, depending on your branch.
• For Festo Didactic SE MES PC environments, obtain the current Factory Control Panel package from Festo technical support as described in the source remediation.
• Inventory applications and services that call unserialize on untrusted data and remove or isolate that attack surface where possible.
• Prioritize exposed systems for validation, patching, and regression testing, especially any systems reachable over untrusted networks.

Evidence notes

The source corpus identifies CVE-2015-2787 as a PHP use-after-free in process_nested_data and rates it CVSS 3.0 9.8. The CISA CSAF source item is a republication dated 2024-02-27 and revised 2026-01-27; it maps the advisory to Festo Didactic SE MES PC and includes a vendor remediation to replace XAMPP with the current Factory Control Panel. The supplied enrichment does not mark the CVE as KEV.

Official resources