PatchSiren cyber security CVE debrief
CVE-2019-9025 Festo Didactic SE CVE debrief
CVE-2019-9025 is a critical PHP memory-corruption issue affecting PHP 7.3.x before 7.3.1. In the supplied CSAF advisory, the issue is associated with Festo Didactic SE MES PC and a vendor remediation that replaces XAMPP with Factory Control Panel. The core risk is that an invalid multibyte string passed to mb_split() can lead PHP to call memcpy() with a negative argument, which may read and write past allocated buffers. The advisory was published in the supplied source on 2024-02-27 and later republished by CISA on 2026-01-27; those dates reflect advisory handling, not the original flaw introduction.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Administrators and support teams responsible for Festo Didactic SE MES PC deployments, especially systems that include or rely on PHP 7.3.x components, should review this immediately. Security teams should also care because the flaw is network-reachable in the CVSS vector and rated critical.
Technical summary
The vulnerability is a PHP mbstring regex handling bug in ext/mbstring/php_mbregex.c. An invalid multibyte string given to mb_split() can cause memcpy() to be invoked with a negative size argument, creating an out-of-bounds read/write condition against buffers allocated for the data. The source advisory maps the issue to the Festo Didactic SE MES PC product context and states that Factory Control Panel replaces XAMPP as the fixed component.
Defensive priority
High. The supplied CVSS is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and the issue is memory corruption with potential confidentiality, integrity, and availability impact. Prioritize patching or replacement on exposed or operational MES PC installations.
Recommended defensive actions
- Confirm whether any MES PC deployment includes the affected PHP 7.3.x version or bundled XAMPP components.
- Apply the vendor-recommended replacement: obtain the current Factory Control Panel version from Festo technical support as described in the advisory.
- Track whether the environment still depends on mbstring-enabled PHP paths and remove or restrict unnecessary exposure where possible.
- Validate affected systems after remediation and confirm the vulnerable component is no longer present.
- Use standard ICS defensive practices from CISA guidance to reduce blast radius while remediation is underway.
Evidence notes
Source evidence comes from the CISA CSAF advisory ICSA-26-027-02 and its referenced Festo materials. The advisory text states: PHP 7.3.x before 7.3.1 is affected; an invalid multibyte string passed to mb_split() can cause memcpy() with a negative argument and buffer over-read/write. The supplied remediation section states that Festo Didactic has released Factory Control Panel as a replacement for XAMPP on MES PCs and directs customers to technical support for the current version. The timeline provided in the source indicates initial advisory publication on 2024-02-27 and CISA republication on 2026-01-27.
Official resources
-
CVE-2019-9025 CVE record
CVE.org
-
CVE-2019-9025 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory-based debrief only. No exploit code, reproduction steps, or offensive guidance included.