PatchSiren cyber security CVE debrief
CVE-2020-7061 Festo Didactic SE CVE debrief
CVE-2020-7061 is a critical PHP PHAR extraction vulnerability that can affect Festo Didactic SE MES PC deployments using the vulnerable component stack. On Windows, certain PHAR content can trigger a one-byte read past the allocated buffer, creating a risk of information disclosure or a crash. CISA’s advisory rates the issue 9.1 (Critical), and Festo’s remediation path is to move MES PC environments to the replacement Factory Control Panel package that includes fixes.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Administrators and engineers responsible for Festo Didactic SE MES PC systems, especially environments that still rely on bundled PHP/XAMPP components on Windows. It also matters to teams that maintain PHP 7.3.x or 7.4.x installations used to extract PHAR archives.
Technical summary
The underlying flaw is in PHP’s phar extension on Windows: extracting a crafted PHAR file in affected PHP versions (7.3.x below 7.3.15 and 7.4.x below 7.4.3) can cause a one-byte read past the allocated buffer. The supplied advisory links this upstream PHP issue to Festo Didactic MES PC exposure and notes that the vendor’s replacement Factory Control Panel includes fixes. The published CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, reflecting no privileges or user interaction required and potential confidentiality and availability impact.
Defensive priority
High. Even though the flaw is an out-of-bounds read rather than code execution, it is remotely reachable in the CVSS model and can disclose data or destabilize affected software. Prioritize upgrading or replacing exposed MES PC installations over compensating controls alone.
Recommended defensive actions
- Verify whether any MES PC instance still uses the vulnerable XAMPP/PHP stack referenced in the advisory.
- Upgrade to the vendor-provided Factory Control Panel replacement that Festo says includes the fixes.
- If PHP is maintained separately, ensure Windows systems are on PHP 7.3.15 or later, or 7.4.3 or later.
- Restrict ingestion of untrusted PHAR archives until affected components are removed or updated.
- Monitor affected hosts for crashes or abnormal behavior during archive extraction workflows.
- Use the vendor and CISA advisory references to confirm the exact product/version scope in your environment.
Evidence notes
Source evidence comes from the CISA CSAF advisory ICSA-26-027-02 and its linked vendor references. The advisory text states that in PHP 7.3.x below 7.3.15 and 7.4.x below 7.4.3, extracting PHAR files on Windows with the phar extension can cause a one-byte read past the allocated buffer, leading to information disclosure or a crash. The remediation entry says Festo Didactic released Factory Control Panel as a replacement for XAMPP on MES PCs and that the current version includes fixes. No KEV listing was provided.
Official resources
-
CVE-2020-7061 CVE record
CVE.org
-
CVE-2020-7061 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2020-7061 was published in the supplied CVE record on 2024-02-27 and republished in the CISA CSAF source on 2026-01-27. The underlying vulnerability is in PHP’s PHAR extraction on Windows, not in the publication dates themselves.