PatchSiren cyber security CVE debrief
CVE-2019-9640 Festo Didactic SE CVE debrief
CVE-2019-9640 is a high-severity memory-safety issue in PHP’s EXIF component that the CISA advisory maps to Festo Didactic SE’s MES PC environment. The source describes an invalid read in exif_process_SOFn, and the advisory points operators to the vendor replacement path for bundled XAMPP-related software.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Teams responsible for Festo Didactic SE MES PC deployments, especially OT/IT administrators managing the bundled PHP/XAMPP stack or systems that rely on the vendor’s replacement software path.
Technical summary
The source description says PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3 contain an invalid read in exif_process_SOFn within the EXIF component. The linked CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, so the issue is network-reachable, requires no privileges or user interaction, and is scored for confidentiality impact.
Defensive priority
High. The flaw is remotely reachable and has no auth or user-interaction barrier, so affected MES PC deployments should be reviewed and updated promptly, even though the source corpus does not show KEV listing or active exploitation.
Recommended defensive actions
- Verify whether any MES PC systems are using the affected PHP/XAMPP-based component set referenced in the advisory.
- Obtain the current Factory Control Panel replacement from Festo technical support as directed in the remediation entry.
- Replace or update affected MES PC installations before returning them to service; account for the source note that a vulnerable-component restart may be required.
- Use the linked CISA ICS recommended practices to reduce exposure and strengthen segmentation, access control, and monitoring around OT systems.
- Cross-check the vendor and CISA advisories to confirm the exact remediation scope for your installed MES PC version.
Evidence notes
The source item is CISA advisory ICSA-26-027-02 for Festo Didactic SE MES PC and explicitly describes CVE-2019-9640 as an invalid read in PHP’s EXIF component. The remediation entry says Festo released Factory Control Panel as a replacement for XAMPP on MES PCs and instructs customers to contact [email protected] for the current version. The resource list also includes a CWE-125 reference and the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Official resources
-
CVE-2019-9640 CVE record
CVE.org
-
CVE-2019-9640 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE published: 2024-02-27. Source item and CISA republication modified: 2026-01-27. The remediation entry in the source is dated 2023-05-26, which should be treated as remediation timing rather than the vulnerability issue date.