PatchSiren cyber security CVE debrief
CVE-2018-19935 Festo Didactic SE CVE debrief
CVE-2018-19935 is a high-severity availability issue in PHP’s ext/imap component: an empty string passed as the message argument to imap_mail can lead to a NULL pointer dereference and application crash. In the supplied CISA CSAF context, this appears in the Festo Didactic SE MES PC advisory stream, so operators should treat the issue as relevant wherever that product line depends on the vulnerable PHP stack.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Administrators and OT/industrial IT teams responsible for Festo Didactic SE MES PC deployments, especially systems using PHP 5.x or 7.x before 7.3.0 or related XAMPP/Factory Control Panel components referenced in the advisory.
Technical summary
The advisory describes a remote denial-of-service condition in ext/imap/php_imap.c. If imap_mail is called with an empty string in the message argument, the affected PHP versions can dereference NULL and crash the application. The supplied CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) matches a network-reachable, no-privileges, no-user-interaction availability impact. The source corpus ties the issue to Festo Didactic SE MES PC, while the underlying flaw is in PHP before 7.3.0.
Defensive priority
High for any exposed MES PC or PHP/imap deployment using the affected component, because the bug is remotely triggerable and can cause immediate service interruption.
Recommended defensive actions
- Confirm whether any MES PC environment uses PHP 5.x or 7.x before 7.3.0, or other affected ext/imap deployments.
- Install the supported vendor replacement referenced in the advisory: Factory Control Panel/current Festo-supported release for MES PCs.
- Remove or retire unsupported XAMPP/PHP stacks where possible, especially on systems that must remain available.
- Add server-side input validation so empty message arguments are rejected before imap_mail is invoked.
- Restrict network exposure to MES PC services and apply segmentation and defense-in-depth controls to reduce denial-of-service impact.
- Monitor PHP/application logs for crashes or restarts involving imap-related services and verify recovery procedures and backups.
Evidence notes
The supplied source item is a CISA CSAF republication for Festo Didactic SE MES PC and explicitly describes the PHP ext/imap NULL pointer dereference when imap_mail receives an empty message string. The advisory metadata provides the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, supporting a remote, no-privileges, high-availability-impact assessment. The corpus also includes an original vendor advisory reference and a remediation entry dated 2023-05-26, while the public CISA republished item used here was published on 2024-02-27 and later modified on 2026-01-27; those dates describe advisory publication history, not the vulnerability’s origin.
Official resources
-
CVE-2018-19935 CVE record
CVE.org
-
CVE-2018-19935 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory context in the supplied corpus was published by CISA on 2024-02-27 and later republished/modified on 2026-01-27. The source materials indicate an earlier vendor remediation date of 2023-05-26. The underlying flaw itself is a