CVE-2019-9021 Festo Didactic SE CVE debrief

Who should care

OT/ICS administrators, MES PC operators, and security teams responsible for Festo Didactic SE deployments should review this immediately, especially where bundled PHP/PHAR components or XAMPP-derived stacks may still be present.

Technical summary

The underlying vulnerability is a heap-based buffer over-read in PHP PHAR reading functions, specifically related to phar_detect_phar_fname_ext in ext/phar/phar.c. When parsing a file name, affected PHP versions can read beyond the actual data into allocated or unallocated memory, which may expose process memory contents. The CISA CSAF source associates the issue with Festo Didactic SE MES PC and states that a current Factory Control Panel release replaces XAMPP on those systems and includes fixes.

Defensive priority

Immediate

Recommended defensive actions

• Identify all Festo MES PC deployments and confirm whether the affected PHP/PHAR component path is present.
• Obtain and deploy the current Factory Control Panel version from Festo technical support, as directed in the advisory.
• Replace or upgrade any exposed XAMPP-based or PHP-based components according to Festo guidance.
• Verify remediation using the official CISA and vendor advisories plus internal asset inventory records.
• Apply standard ICS hardening practices such as segmentation, least privilege, and monitoring around affected systems.

Evidence notes

The supplied source item is CISA CSAF advisory ICSA-26-027-02 for Festo Didactic SE MES PC. Its description matches the PHP PHAR heap-based buffer over-read language in the CVE record, and its remediation section states that Festo released Factory Control Panel as a replacement for XAMPP on MES PCs and that customers should contact technical support for the fixed version. The advisory metadata shows initial publication on 2024-02-27 and a later republication/revision history entry on 2026-01-27; those are advisory dates, not the original vulnerability date.

Official resources