PatchSiren cyber security CVE debrief
CVE-2019-9022 Festo Didactic SE CVE debrief
CVE-2019-9022 describes an out-of-bounds read in PHP’s DNS handling, where dns_get_record can misparse a crafted DNS response and cause php_parserr to misuse memcpy. The issue is triggered by a hostile DNS server and affects DNS_CAA and DNS_ANY queries in ext/standard/dns.c. In the supplied Festo/CISA advisory context, the vulnerability is mapped to Festo Didactic SE MES PC, with remediation pointing to Factory Control Panel as the replacement for XAMPP on MES PCs. Operators should verify whether their MES PC deployment includes the affected PHP component and apply the vendor’s remediation path where applicable.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Festo Didactic SE MES PC operators, OT/industrial system maintainers, and security teams responsible for deployments that include the affected PHP DNS component or vendor-provided XAMPP/Factory Control Panel stack.
Technical summary
The flaw is a DNS parsing error in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. A malformed DNS response can lead dns_get_record to mis-handle lengths and invoke memcpy in a way that reads past the buffer allocated for DNS data. The affected code path is php_parserr in ext/standard/dns.c, specifically for DNS_CAA and DNS_ANY queries. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a remotely reachable confidentiality-impacting issue with no privileges or user interaction required.
Defensive priority
High. The issue is remotely triggerable through DNS traffic, requires no authentication or user interaction, and can expose data through out-of-bounds reads. Prioritize validation and remediation for any affected MES PC systems and any PHP deployments using the vulnerable versions.
Recommended defensive actions
- Confirm whether MES PC installations use the affected PHP versions or a vendor bundle that includes them.
- Apply the vendor remediation path identified in the advisory: obtain the current Factory Control Panel release from Festo technical support, since it is described as the replacement for XAMPP on MES PCs.
- Upgrade PHP to a fixed version if the affected component is separately managed: 7.1.26+, 7.2.14+, or 7.3.2+.
- Review DNS resolution exposure for the affected systems and ensure they rely on trusted, monitored resolvers.
- Follow CISA ICS recommended practices for defense in depth and segmentation around industrial/OT assets.
Evidence notes
This debrief is based only on the supplied CSAF/CISA source item and the official links included in the corpus. The vulnerability text explicitly states a PHP dns_get_record parsing error that can cause memcpy to read beyond the DNS buffer, and ties the impact to php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries. The source metadata maps the advisory to Festo Didactic SE MES PC, and the remediation field states that Factory Control Panel replaces XAMPP on MES PCs. Timing context: the CVE published date used here is 2024-02-27, while the source item also records a later 2026-01-27 CISA republication date; that republication date should not be treated as the original vulnerability date.
Official resources
-
CVE-2019-9022 CVE record
CVE.org
-
CVE-2019-9022 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed; no KEV listing was provided in the supplied enrichment, and no ransomware campaign association was provided in the source corpus.