PatchSiren cyber security CVE debrief
CVE-2019-9638 Festo Didactic SE CVE debrief
CVE-2019-9638 is a confidentiality-impacting memory disclosure issue in PHP's EXIF processing. In the supplied CISA/Festo advisory context, it is associated with Festo Didactic SE MES PC systems that rely on the affected software stack. Because the issue is network-reachable per the CVSS vector, requires no privileges or user interaction, and can expose memory contents, it should be treated as a high-priority fix for any exposed MES PC deployment.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Festo MES PC operators, OT/industrial PC administrators, and anyone responsible for the Factory Control Panel/XAMPP/PHP stack on those systems, especially if the environment processes untrusted images or remotely supplied EXIF content.
Technical summary
The vulnerability is an uninitialized read in exif_process_IFD_in_MAKERNOTE caused by incorrect handling of the maker_note->offset relationship to value_len. The supplied description states the affected PHP releases are before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. In the advisory context, Festo ties the issue to MES PC deployments and directs customers to a replacement Factory Control Panel version obtained through technical support.
Defensive priority
High. The supplied CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which indicates easy remote exploitation conditions and high confidentiality impact. For an OT-facing product context, memory disclosure in a web/image-processing component deserves prompt remediation and exposure reduction.
Recommended defensive actions
- Identify MES PC instances that include the affected Factory Control Panel/XAMPP/PHP stack and confirm whether they can process untrusted image uploads or EXIF data.
- Obtain the current Factory Control Panel release from Festo technical support and apply the vendor-provided replacement as directed in the advisory.
- If you manage any standalone PHP deployments, verify that PHP is at or above 7.1.27, 7.2.16, or 7.3.3, depending on the branch in use.
- Reduce exposure of any web-facing or image-processing services on MES PCs until the fix is in place, and monitor for unexpected errors or anomalous image-processing activity.
- Update asset inventories and maintenance records so MES PC systems are tracked as remediated once the vendor replacement is installed.
Evidence notes
The source corpus describes the flaw as an uninitialized read in PHP's EXIF component and the supplied CISA CSAF advisory maps it to Festo Didactic SE MES PC. The remediation text says Festo has released Factory Control Panel as a replacement for XAMPP on MES PCs and directs customers to contact technical support for the current version that includes fixes. Timing context comes from the supplied record: publishedAt 2024-02-27 and modifiedAt 2026-01-27; those dates are used as advisory publication/republication context, not as the original vulnerability discovery date.
Official resources
-
CVE-2019-9638 CVE record
CVE.org
-
CVE-2019-9638 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published in the supplied source record on 2024-02-27 and republished by CISA for the Festo Didactic SE MES PC advisory on 2026-01-27. The underlying vulnerability description concerns PHP EXIF handling and the fixed PHP branches listed in