PatchSiren cyber security CVE debrief
CVE-2019-9639 Festo Didactic SE CVE debrief
CVE-2019-9639 is a high-severity PHP EXIF vulnerability involving an uninitialized read in exif_process_IFD_in_MAKERNOTE. In the supplied CISA CSAF advisory, the issue is mapped to Festo Didactic SE MES PC deployments that relied on bundled PHP/XAMPP components. Festo’s stated remediation path is to replace XAMPP with Factory Control Panel and obtain the current version through vendor support.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Administrators and operators of Festo Didactic SE MES PC, especially environments still using the bundled PHP/XAMPP stack. Security teams responsible for industrial or training-system deployments should also treat this as a priority because the advisory is published through CISA’s ICS channel and carries a high confidentiality-impact CVSS score.
Technical summary
The underlying CVE is in PHP’s EXIF component before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. The flaw is an uninitialized read in exif_process_IFD_in_MAKERNOTE caused by mishandling the data_len variable. The supplied advisory records CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network reachability with no privileges or user interaction required and a confidentiality-only impact. The source item ties the issue to MES PC and recommends moving to Factory Control Panel.
Defensive priority
High
Recommended defensive actions
- Inventory all Festo Didactic SE MES PC installations and confirm whether the affected bundled PHP/XAMPP components are present.
- Contact Festo technical support at [email protected] to obtain the current Factory Control Panel version referenced in the advisory.
- Upgrade or replace affected installations using the vendor’s remediation path, then verify the deployed version after maintenance.
- Apply least-privilege access and tighten exposure to affected systems until remediation is complete.
- Track the official CISA and Festo advisory pages for follow-up updates or revised guidance.
Evidence notes
The CISA CSAF source item (ICSA-26-027-02) states: an issue is discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3; there is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable. The same source maps the issue to Festo Didactic SE MES PC and says Festo released Factory Control Panel as a replacement for XAMPP on MES PCs. The source records CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and revision history showing initial publication on 2024-02-27 and later republication on 2026-01-27.
Official resources
-
CVE-2019-9639 CVE record
CVE.org
-
CVE-2019-9639 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
This debrief uses the supplied CVE publication date of 2024-02-27 for timing context. The source item was later republished on 2026-01-27, but that republication date is not treated as the vulnerability’s issue date.