PatchSiren cyber security CVE debrief
CVE-2019-9023 Festo Didactic SE CVE debrief
CVE-2019-9023 is a critical heap-based buffer over-read issue in PHP mbstring regular expression handling for invalid multibyte input. In the supplied CISA/Festo advisory corpus, the issue is associated with Festo Didactic SE MES PC deployments and the remediation path is to move to Factory Control Panel, which is described as the replacement for XAMPP on MES PCs and includes fixes. The CISA source item was first published on 2024-02-27 and later republished on 2026-01-27; those dates are advisory publication milestones, not the original vulnerability date.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
OT/ICS operators running Festo Didactic SE MES PC systems, administrators responsible for the underlying software stack, vulnerability management teams, and any site that still depends on PHP mbstring or XAMPP components referenced by the advisory.
Technical summary
The advisory text describes multiple heap-based buffer over-read instances in PHP mbstring regular expression code paths when invalid multibyte data is supplied, with affected upstream versions listed as PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. The CISA CSAF record ties the issue to MES PC and names the replacement product, Factory Control Panel, as the fix path. The published CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
Urgent. This is rated critical (9.8) in the supplied record, has no privileges or user interaction in the CVSS vector, and has a vendor remediation already identified. Prioritize inventory, replacement, and version verification on any affected MES PC deployments.
Recommended defensive actions
- Identify all Festo MES PC installations and confirm whether they still use the vulnerable PHP/XAMPP-based stack referenced in the advisory.
- Contact Festo technical support and deploy the current Factory Control Panel version that Festo states includes fixes for these vulnerabilities.
- If you manage PHP separately, verify the installed version is at least 5.6.40, 7.1.26, 7.2.14, or 7.3.1, as applicable.
- Review exposed OT/ICS endpoints for unnecessary access paths to the affected application stack and reduce exposure where feasible.
- Apply CISA ICS defense-in-depth and recommended practices guidance for segmentation, monitoring, and secure maintenance of OT assets.
Evidence notes
The source corpus directly states the upstream PHP mbstring issue, the affected version ranges, the CVSS 3.0 vector, and the file areas involved. It also states that Festo released Factory Control Panel as a replacement for XAMPP on MES PCs and that the current version includes fixes. No KEV listing is present in the supplied data.
Official resources
-
CVE-2019-9023 CVE record
CVE.org
-
CVE-2019-9023 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The supplied CISA CSAF record was first published on 2024-02-27 and republished on 2026-01-27. No known exploitation or KEV entry is included in the provided corpus.