CVE-2020-7059 Festo Didactic SE CVE debrief

Who should care

Organizations running Festo Didactic SE MES PC deployments, especially administrators responsible for XAMPP/Factory Control Panel software and any embedded PHP components. This is most important where the affected system is exposed to untrusted input or supports operational workflows that cannot tolerate crashes or data leakage.

Technical summary

According to the source advisory, using fgetss() with tag stripping in PHP 7.2.x before 7.2.27, 7.3.x before 7.3.14, and 7.4.x before 7.4.2 can cause the function to read past the allocated buffer. The stated outcomes are information disclosure or a crash. The CISA CSAF advisory maps this issue to Festo Didactic SE MES PC and references a vendor-provided replacement package as the remediation path.

Defensive priority

Critical: prioritize validation and update planning immediately for any MES PC environment that may include the affected PHP versions or the vendor-referenced XAMPP-based software stack.

Recommended defensive actions

• Contact Festo technical support and obtain the current Factory Control Panel version referenced by the vendor as containing fixes for these vulnerabilities.
• Verify whether any MES PC deployment uses PHP versions earlier than 7.2.27, 7.3.14, or 7.4.2 and update to a fixed release where applicable.
• Review the CISA ICS recommended practices and defense-in-depth guidance to reduce exposure while remediation is underway.
• Confirm the updated software is deployed and functioning as expected, then document the software version and remediation status for the affected MES PC assets.

Evidence notes

The debrief is based on the supplied CISA CSAF source item for ICSA-26-027-02, which states the buffer over-read condition, affected PHP version ranges, impact, and vendor remediation language. The source references the official CVE record, CISA advisory, Festo PSIRT/vendor advisory pages, and CISA ICS defensive guidance. No exploit details are included.

Official resources