CVE-2019-9641 Festo Didactic SE CVE debrief

Who should care

Festo Didactic SE MES PC operators, industrial automation defenders, and administrators responsible for systems that bundle PHP’s EXIF component, especially where XAMPP is still in use.

Technical summary

The vulnerability is an uninitialized read in PHP’s EXIF component, specifically exif_process_IFD_in_TIFF, affecting PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. The advisory material in this corpus is a CISA republication of Festo guidance for MES PC, and the remediation states that Factory Control Panel replaces XAMPP on MES PCs and includes fixes. The CVSS vector provided is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

Urgent

Recommended defensive actions

• Obtain the current Factory Control Panel from Festo technical support at [email protected], as the advisory says it includes fixes for these vulnerabilities.
• Confirm whether any MES PC installation still relies on vulnerable PHP versions earlier than 7.1.27, 7.2.16, or 7.3.3, and remediate any exposed systems.
• Replace or retire XAMPP-based components in affected MES PC deployments according to the vendor remediation guidance.
• Use CISA’s ICS recommended practices and defense-in-depth guidance to reduce exposure while remediation is underway.

Evidence notes

The source corpus is a CISA CSAF republication of the Festo Didactic SE MES PC advisory (ICSA-26-027-02 / FSA-202402). The advisory description explicitly states the PHP EXIF uninitialized-read issue and the affected PHP version ranges. The remediation entry explicitly says Factory Control Panel is a replacement for XAMPP on MES PCs and that the current version includes fixes. Timeline fields supplied with the source should be treated as the advisory publication/republication context, not as the original software defect date.

Official resources