PatchSiren cyber security CVE debrief
CVE-2019-9637 Festo Didactic SE CVE debrief
CVE-2019-9637 is a PHP confidentiality issue that occurs during rename() operations across filesystems. While the move is in progress, the file can briefly be available with the wrong permissions, creating a window for unauthorized users to read data. The supplied CISA advisory also maps the issue to Festo Didactic SE’s MES PC and points operators to a vendor replacement path that includes fixes.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Administrators and operators running affected PHP versions, especially in environments where sensitive files are moved across filesystems. Festo Didactic SE MES PC users should pay close attention to the vendor advisory and remediation guidance.
Technical summary
The flaw affects PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. According to the advisory text, rename() across filesystems can leave a file briefly exposed with incorrect permissions during the rename operation. That transient permission window can allow unauthorized users to access the data. The supplied advisory record associates the CVE with Festo Didactic SE MES PC and provides a vendor remediation path via Factory Control Panel as a replacement for XAMPP on MES PCs. The recorded CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5, High).
Defensive priority
High — the issue is a straightforward confidentiality exposure with no integrity or availability impact in the provided vector, but it can expose sensitive data during routine file handling.
Recommended defensive actions
- Upgrade PHP to a fixed release: 7.1.27 or later, 7.2.16 or later, or 7.3.3 or later.
- If you operate Festo Didactic SE MES PC, follow the vendor guidance to obtain the current Factory Control Panel version that includes fixes; the advisory directs customers to [email protected].
- Review applications and workflows that move sensitive files across filesystems, since that is the condition that creates the permission window.
- Verify file-permission handling in related deployment and update workflows so sensitive data is not exposed during rename operations.
- Use the CISA and vendor advisory links to confirm product applicability before scheduling changes.
Evidence notes
The vulnerability description, fixed PHP version ranges, and CVSS vector come from the supplied CISA CSAF record and the referenced CVE metadata. The Festo Didactic SE MES PC product mapping and the Factory Control Panel remediation path are taken from the same advisory metadata. The supplied timeline shows the advisory record published on 2024-02-27 and republished on 2026-01-27; those dates are advisory-record timing, not the original flaw date.
Official resources
-
CVE-2019-9637 CVE record
CVE.org
-
CVE-2019-9637 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
This CVE is a 2019 PHP issue that appears in the supplied 2024 CISA advisory record, which was later republished on 2026-01-27. Use the supplied dates only as advisory-record timing context, not as the original vulnerability date.