PatchSiren cyber security CVE debrief
CVE-2019-9020 Festo Didactic SE CVE debrief
CVE-2019-9020 is a critical PHP memory-safety issue that CISA republished in the context of Festo Didactic SE MES PC. The advisory ties the affected environment to a PHP/XAMPP-based stack and says Factory Control Panel replaces XAMPP on MES PCs and includes fixes. Organizations should verify whether any MES PC deployments still rely on the vulnerable component set and move to the vendor-supported replacement immediately.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
OT/ICS administrators, MES PC owners, Festo Didactic support teams, and defenders responsible for PHP/XAMPP-based industrial workstation images or any XML-RPC exposure in controlled environments.
Technical summary
The vulnerability is in PHP's xmlrpc_decode() handling and can trigger invalid memory access, including a heap out-of-bounds read or read-after-free, in xml_elem_parse_buf within ext/xmlrpc/libxmlrpc/xml_element.c. The supplied advisory describes affected PHP releases as versions before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. In the Festo context, the remediation points to replacing XAMPP on MES PCs with Factory Control Panel, which the advisory says includes fixes for these vulnerabilities.
Defensive priority
Critical. Treat this as urgent anywhere the affected PHP/XML-RPC component chain remains present on MES PCs or related OT workstations.
Recommended defensive actions
- Inventory MES PC deployments and confirm whether the vulnerable XAMPP-based stack is still present.
- Obtain and deploy the current Factory Control Panel from Festo technical support as directed by the advisory.
- Plan for a restart of the vulnerable component during replacement or upgrade.
- Restrict network access to any management or service interfaces that do not need broad exposure.
- Remove or disable XML-RPC functionality where it is not operationally required.
- Validate remediation against the vendor advisory and retain patch evidence for audit and change control.
Evidence notes
The CISA CSAF source for ICSA-26-027-02 links CVE-2019-9020 to Festo Didactic SE MES PC and cites the underlying PHP xmlrpc_decode() memory-access issue. The remediation section states that Factory Control Panel replaces XAMPP on MES PCs and includes fixes, with the current version obtainable from Festo technical support. The supplied timeline shows the advisory initially published on 2024-02-27 and republished on 2026-01-27. No KEV entry is listed in the provided data.
Official resources
-
CVE-2019-9020 CVE record
CVE.org
-
CVE-2019-9020 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through CISA advisory ICSA-26-027-02, initially published on 2024-02-27 and republished on 2026-01-27 in the supplied source corpus.