PatchSiren cyber security CVE debrief
CVE-2019-9024 Festo Didactic SE CVE debrief
Festo Didactic’s MES PC advisory maps CVE-2019-9024 to the PHP component used in its legacy XAMPP-based stack. The flaw lets a hostile XML-RPC server drive an out-of-bounds memory read in xmlrpc_decode(), creating a confidentiality risk for affected deployments. Festo’s documented remediation is to move MES PCs to the current Factory Control Panel release, which replaces XAMPP.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Festo Didactic SE MES PC operators, OT/ICS administrators, and teams responsible for any bundled PHP/XAMPP components or XML-RPC integrations on the affected systems.
Technical summary
The underlying issue is in PHP’s XML-RPC handling, specifically base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c. When xmlrpc_decode() processes attacker-controlled XML-RPC content, vulnerable PHP releases before 5.6.40, 7.1.26, 7.2.14, and 7.3.1 can read memory outside allocated areas. In the advisory context, that matters for MES PC systems still using the affected PHP stack.
Defensive priority
High — the issue is network-reachable, requires no privileges or user interaction in the CVSS vector supplied, and has a high confidentiality impact. Prioritize MES PC deployments that still expose or consume XML-RPC and any systems that remain on the affected PHP/XAMPP component set.
Recommended defensive actions
- Identify whether any MES PC installations still rely on the vulnerable PHP/XAMPP stack and XML-RPC functionality.
- Upgrade to the current Factory Control Panel version referenced by Festo; the advisory says it replaces XAMPP on MES PCs and includes fixes.
- Where PHP is directly managed, ensure the deployment is at or beyond 5.6.40, 7.1.26, 7.2.14, or 7.3.1, depending on the branch in use.
- Restrict exposure of XML-RPC services and segment MES/OT assets so untrusted networks cannot reach the vulnerable interface.
- Monitor for unusual XML-RPC traffic, parsing errors, crashes, or unexpected memory-related behavior on affected hosts.
- Use the Festo support channel listed in the advisory to obtain the current Factory Control Panel release and confirm applicability to your MES PC model.
Evidence notes
This debrief is grounded in the supplied CISA CSAF source item for ICSA-26-027-02, which republishes Festo Didactic SE MES PC guidance and names CVE-2019-9024. The source record states the PHP out-of-bounds read in xmlrpc_decode()/base64_decode_xmlrpc and includes a remediation entry dated 2023-05-26 for replacing XAMPP with Factory Control Panel. Official record links to CVE.org and NVD were included for cross-checking the CVE identity, while CISA and Festo references provide the vendor/OT context. No KEV date was supplied in the enrichment.
Official resources
-
CVE-2019-9024 CVE record
CVE.org
-
CVE-2019-9024 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Supplied record dates: CVE publishedAt 2024-02-27T12:00:00.000Z and modifiedAt 2026-01-27T16:20:28.099Z; the source item shares those dates and notes a CISA republication on 2026-01-27. The remediation entry in the advisory is dated 2023-05