PatchSiren cyber security CVE debrief
CVE-2020-7062 Festo Didactic SE CVE debrief
CVE-2020-7062 is a denial-of-service flaw in PHP file upload progress cleanup handling. In the supplied advisory, a failed upload can trigger a null pointer dereference when upload progress tracking is enabled and session.upload_progress.cleanup is set to 0, which would likely crash the service. CISA’s CSAF record maps the issue to Festo Didactic SE MES PC and directs users to the vendor’s replacement/fixed Factory Control Panel for those systems.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Festo Didactic SE MES PC operators, industrial system administrators, and PHP application owners who expose file upload endpoints with upload progress tracking enabled—especially where session.upload_progress.cleanup is disabled.
Technical summary
The source advisory states that affected PHP releases are 7.2.x before 7.2.28, 7.3.x before 7.3.15, and 7.4.x before 7.4.3. The trigger condition is a failed file upload while upload progress tracking is enabled and session.upload_progress.cleanup=0, causing the upload procedure to attempt cleanup of missing data and hit a null pointer dereference. The documented impact is availability loss via crash; no integrity or confidentiality impact is described in the supplied material.
Defensive priority
High. The supplied CVSS is 7.5 (HIGH), the vector is network-reachable with no privileges or user interaction, and the impact is a likely crash in an upload path that can disrupt service availability.
Recommended defensive actions
- Upgrade PHP to 7.2.28, 7.3.15, 7.4.3, or later if PHP is directly in use.
- Review file upload configurations and avoid leaving session.upload_progress.cleanup set to 0 unless the deployment has been validated against this condition.
- If you are operating Festo Didactic SE MES PC systems, obtain the current Factory Control Panel version referenced in the advisory and deploy the vendor fix through Festo technical support.
- Verify whether upload progress tracking is actually needed; disable it where operationally unnecessary.
- Monitor affected hosts for unexpected crashes or service restarts around failed upload events.
- Confirm that any replacement or updated MES PC package is the current vendor-released build noted in the advisory.
Evidence notes
The supplied CISA CSAF record for ICSA-26-027-02 explicitly ties CVE-2020-7062 to Festo Didactic SE MES PC and repeats the PHP version ranges and cleanup condition from the advisory description. The remediation field states that Festo Didactic released Factory Control Panel as a replacement for XAMPP on MES PCs and provides a vendor support contact. No KEV entry is present in the supplied enrichment. The source item was published on 2024-02-27 and later republished/modified on 2026-01-27; those dates are advisory timeline context, not the underlying issue date.
Official resources
-
CVE-2020-7062 CVE record
CVE.org
-
CVE-2020-7062 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
This debrief is based on the supplied CISA CSAF record for CVE-2020-7062, published 2024-02-27 and republished/modified 2026-01-27 in the source timeline. The advisory content describes a PHP upload-path crash condition and maps it to Festo