PatchSiren cyber security CVE debrief
CVE-2018-19518 Festo Didactic SE CVE debrief
CVE-2018-19518 is a command-argument injection issue in the University of Washington IMAP Toolkit 2007f on UNIX. In affected paths, untrusted IMAP server names can be passed into an rsh-style command without proper argument protection. If the environment uses a replacement program with different argument semantics, that can turn into arbitrary OS command execution. CISA’s republished advisory ties the issue to Festo Didactic SE MES PC and directs users toward the fixed Factory Control Panel replacement.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Administrators of Festo Didactic SE MES PC, teams supporting PHP applications that call imap_open(), and anyone passing user-controlled IMAP server names into UW IMAP Toolkit-based code. Systems where rsh is linked to ssh or another wrapper with different argument parsing are especially important to review.
Technical summary
The supplied description says imap_open() and other products use imap_rimap in c-client/imap4r1.c and tcp_aopen in osdep/unix/tcp_unix.c to launch an rsh command without preventing argument injection. The risk requires untrusted IMAP server-name input, such as user-entered values in a web application. The example given is an IMAP server name containing a "-oProxyCommand" argument when rsh resolves to ssh, which can alter command behavior and lead to OS command execution.
Defensive priority
High
Recommended defensive actions
- Replace vulnerable MES PC deployments with the current Factory Control Panel release referenced by Festo support.
- Contact Festo technical support at [email protected] to obtain the current fixed version.
- Do not pass untrusted input directly into IMAP server-name parameters; allowlist and validate server names before use.
- Review any systems where rsh is provided by ssh or another wrapper with different argument semantics.
- Audit web applications and services that call PHP imap_open() or similar IMAP Toolkit paths for user-controlled IMAP host input.
- Apply CISA ICS recommended practices and related defense-in-depth guidance for operational systems.
Evidence notes
The primary evidence is the CISA CSAF source item for ICSA-26-027-02, which republishes the Festo advisory and includes the vulnerability description, the MES PC product context, and the remediation notice. The source description explicitly states that the IMAP Toolkit launches rsh without preventing argument injection and gives the ssh/-oProxyCommand example. The remediation entry states that Factory Control Panel replaces XAMPP on MES PCs and provides the vendor contact for the fixed version. Source timing shows publication on 2024-02-27 and modification on 2026-01-27; those are advisory dates, not the original vulnerability date. No KEV entry is provided in the supplied enrichment.
Official resources
-
CVE-2018-19518 CVE record
CVE.org
-
CVE-2018-19518 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through CISA’s republished advisory ICSA-26-027-02 on 2024-02-27, with a later republication update on 2026-01-27. The supplied enrichment does not mark it as a KEV item.