CVE-2018-12882 Festo Didactic SE CVE debrief

Who should care

Festo Didactic SE MES PC operators, OT/ICS administrators, and defenders responsible for systems that include PHP 7.2.x through 7.2.7 with the EXIF extension or a bundled XAMPP/PHP stack.

Technical summary

The vulnerability is a use-after-free in PHP's EXIF implementation. According to the supplied description, exif_read_from_impl closes a stream it is not responsible for closing, which can invalidate memory used later by exif_read_from_file. The reachable entry point is exif_read_data. The supplied CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable, unauthenticated, high-impact exposure if the affected code path is present.

Defensive priority

Immediate / critical

Recommended defensive actions

• Confirm whether any Festo MES PC deployments still use the affected XAMPP/PHP component set.
• Obtain and deploy Festo's current Factory Control Panel version from the vendor support path noted in the advisory.
• Treat PHP 7.2.x through 7.2.7 as vulnerable until the fixed vendor package is verified in place.
• If remediation cannot be completed immediately, isolate affected systems from untrusted network exposure and follow CISA ICS defense-in-depth guidance.
• Validate after change that the vulnerable EXIF code path is no longer present in the deployed software stack.

Evidence notes

The supplied source item is CISA CSAF ICSA-26-027-02, republished on 2026-01-27, and it explicitly maps CVE-2018-12882 to Festo Didactic SE MES PC. The advisory text repeats the PHP EXIF use-after-free description and names exif_read_data as the reachable function. The remediations field states that Festo released Factory Control Panel as a replacement for XAMPP on MES PCs and provides a support contact for the fixed version. No CISA KEV entry is present in the supplied enrichment.

Official resources