PatchSiren cyber security CVE debrief
CVE-2020-7063 Festo Didactic SE CVE debrief
CISA’s Festo Didactic SE MES PC advisory includes CVE-2020-7063, a PHP PHAR archive permission issue that can preserve files at a default 0666 permission level when using PharData::buildFromIterator(). For MES PC environments that still rely on affected PHP builds, extracted files may end up with broader access than intended, which is a hardening and integrity concern. The advisory points to Factory Control Panel as the replacement for XAMPP on MES PCs and states that current versions include fixes.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Operators and maintainers of Festo Didactic SE MES PC systems, especially teams still using XAMPP or affected PHP builds, and administrators responsible for archive creation/extraction workflows and post-extraction file permissions.
Technical summary
The underlying issue affects PHP 7.2.x below 7.2.28, 7.3.x below 7.3.15, and 7.4.x below 7.4.3. When creating a PHAR archive with PharData::buildFromIterator(), files can be added with default permissions (0666) even if the source files are more restrictive, so extracted content may have weaker-than-intended permissions. The supplied advisory data assigns CVSS 3.1 5.3/Medium with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Defensive priority
Medium — prioritize if MES PC deployments still generate or extract PHAR archives with affected PHP versions; otherwise verify the vendor replacement and plan remediation during normal maintenance.
Recommended defensive actions
- Confirm whether any MES PC systems still use PHP 7.2 < 7.2.28, 7.3 < 7.3.15, or 7.4 < 7.4.3 and inventory any PHAR archive workflows.
- Adopt Festo’s current Factory Control Panel version for MES PCs, obtained via the vendor support path cited in the advisory, as the documented replacement for XAMPP.
- Review archive creation and extraction steps to ensure file permissions are checked after extraction and tightened where required.
- Restrict access to archive destinations and monitor for unexpected permission broadening on extracted files.
- Validate the vendor-provided replacement or update in a test environment before rolling it into production MES PC systems.
Evidence notes
The source corpus ties CVE-2020-7063 to CISA CSAF advisory ICSA-26-027-02 for Festo Didactic SE MES PC and republishes the underlying Festo advisory information. The published CVE date supplied is 2024-02-27, and the source was modified/republished on 2026-01-27; those dates describe the advisory record, not a separate vulnerability event. No KEV listing is provided in the supplied data.
Official resources
-
CVE-2020-7063 CVE record
CVE.org
-
CVE-2020-7063 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2020-7063 was published on 2024-02-27 in the supplied record; the CISA CSAF source was republished/modified on 2026-01-27. The advisory is not marked in CISA KEV in the provided data.