PatchSiren cyber security CVE debrief
CVE-2018-14883 Festo Didactic SE CVE debrief
CVE-2018-14883 is a PHP EXIF parsing vulnerability mapped by CISA’s Festo Didactic SE MES PC advisory. The issue can lead to a heap-based buffer over-read in exif_thumbnail_extract, with a CVSS 3.0 score of 7.5 and primary availability impact. Festo’s remediation notes indicate Factory Control Panel replaces XAMPP on affected MES PCs and includes fixes.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Operators and maintainers of Festo Didactic SE MES PC deployments, especially OT/ICS teams responsible for the bundled XAMPP/PHP stack or any MES PC installation using the affected EXIF component.
Technical summary
The vulnerability is described as an integer overflow in PHP’s EXIF handling that results in a heap-based buffer over-read in exif_thumbnail_extract within exif.c. The affected PHP versions are before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-reachable issue with significant availability impact and no recorded confidentiality or integrity impact in the source record.
Defensive priority
High for exposed MES PC environments because the issue is network-reachable, requires no privileges or user interaction per the CVSS vector, and can materially affect availability in an industrial context.
Recommended defensive actions
- Verify whether any MES PC deployments include the vulnerable XAMPP/PHP components referenced by the advisory.
- Update to the vendor-provided Factory Control Panel replacement identified in the remediation notes, or otherwise ensure the affected PHP versions are not present.
- Confirm the exact software version in use on each MES PC and compare it against the vulnerable PHP ranges listed in the CVE description.
- Prioritize patching or replacement on systems that are reachable from less trusted networks or that support production operations.
- Monitor advisory updates from CISA and Festo for any product-specific clarification or revised remediation guidance.
Evidence notes
The source corpus links CVE-2018-14883 to CISA advisory ICSA-26-027-02 for Festo Didactic SE MES PC, with references to the Festo advisory FSA-202402 and CISA’s advisory page. The remediation text explicitly says Factory Control Panel replaces XAMPP on MES PCs and includes fixes for these vulnerabilities. The source record also provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and lists the affected PHP version ceilings in the CVE description.
Official resources
-
CVE-2018-14883 CVE record
CVE.org
-
CVE-2018-14883 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2018-14883 is the published CVE identifier used in the source advisory record dated 2024-02-27, with the source later republished by CISA on 2026-01-27. The underlying PHP issue affects versions older than the fixed releases listed in D