PatchSiren cyber security CVE debrief
CVE-2015-2348 Festo Didactic SE CVE debrief
CVE-2015-2348 is a critical file-handling flaw in PHP's move_uploaded_file implementation. A crafted pathname containing a NUL byte can be truncated, which may let an attacker bypass intended extension restrictions and create a file under an unexpected name. The supplied advisory corpus also notes that this is an incomplete fix for CVE-2006-7243 and maps the issue to Festo Didactic SE's MES PC advisory context.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Administrators and defenders responsible for Festo Didactic SE MES PC deployments named in the supplied CSAF advisory, especially where PHP-based upload handling or bundled XAMPP components may still be present, should validate exposure and patch status immediately.
Technical summary
The vulnerability is described as a pathname truncation issue in PHP ext/standard/basic_functions.c: when move_uploaded_file encounters a \x00 character, the pathname may be truncated before validation is complete. That can defeat extension-based restrictions and result in files being created with unexpected names. The supplied record lists affected PHP branches as versions before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7, and identifies the weakness as CWE-626.
Defensive priority
Critical. The impact profile in the supplied CVSS vector is network-reachable, requires no privileges or user interaction, and is rated for high confidentiality, integrity, and availability impact. Treat as urgent for any exposed or still-supported deployment that depends on the affected PHP behavior.
Recommended defensive actions
- Confirm whether any affected PHP versions are present in the MES PC environment or in any bundled web/upload component.
- Upgrade to PHP releases at or beyond 5.4.39, 5.5.23, or 5.6.7, or remove the affected component entirely where feasible.
- Follow the supplied vendor remediation: obtain and deploy the current Factory Control Panel replacement for XAMPP from Festo technical support.
- Review upload and file-creation code paths for strict pathname validation and rejection of embedded NUL bytes.
- Audit for unexpected file creation or renamed uploads in systems that use the affected workflow.
Evidence notes
The CVE description states that move_uploaded_file in PHP before 5.4.39/5.5.23/5.6.7 truncates a pathname at a NUL byte, allowing bypass of extension restrictions and unexpected file creation. The CISA CSAF source item maps CVE-2015-2348 to Festo Didactic SE MES PC and includes a remediation advising replacement of XAMPP with Factory Control Panel. The supplied references also include the official CVE record, NVD entry, and CWE-626 reference.
Official resources
-
CVE-2015-2348 CVE record
CVE.org
-
CVE-2015-2348 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The supplied corpus places the advisory publication date at 2024-02-27 for the CISA CSAF republication, while the vulnerability itself is CVE-2015-2348. Use the supplied CVE and advisory dates as corpus context, not as the original bug-enc"