PatchSiren cyber security CVE debrief
CVE-2019-11036 Festo Didactic SE CVE debrief
CVE-2019-11036 is a critical PHP EXIF out-of-bounds read that can cause information disclosure or a crash when processing certain files. In the supplied CISA CSAF advisory, Festo Didactic SE maps this issue to MES PC deployments and recommends moving away from the affected XAMPP-based setup to Factory Control Panel. Defenders should verify whether any MES PC or related systems still rely on affected PHP EXIF handling, especially where untrusted files are processed.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Festo Didactic SE MES PC operators, OT/ICS administrators, and defenders responsible for any system that processes untrusted files through bundled or independently managed PHP EXIF components.
Technical summary
The flaw is in PHP's EXIF extension, specifically exif_process_IFD_TAG, where processing certain files can read past an allocated buffer. The affected PHP releases listed in the source are 7.1.x before 7.1.29, 7.2.x before 7.2.18, and 7.3.x before 7.3.5. The practical impact is confidentiality loss through unintended data disclosure and potential process instability or crash; the supplied advisory ties the exposure to Festo Didactic SE MES PC contexts that used XAMPP/PHP.
Defensive priority
Critical for any exposed or file-processing MES PC deployment; prioritize urgent inventory, remediation, and validation.
Recommended defensive actions
- Inventory Festo Didactic SE MES PC instances and confirm whether they use the affected PHP EXIF component or the bundled XAMPP stack referenced in the advisory.
- Obtain and deploy the vendor-referenced replacement: Factory Control Panel, using the current version from Festo technical support.
- If PHP is managed separately, upgrade to PHP 7.1.29, 7.2.18, or 7.3.5 or later, consistent with the vulnerable-version ranges in the CVE description.
- Review workflows that process untrusted or externally supplied files and limit exposure until remediation is complete.
- Monitor for unexpected crashes or signs of abnormal file-processing behavior and validate remediation using vendor and CISA guidance.
Evidence notes
The source advisory explicitly links CVE-2019-11036 to Festo Didactic SE MES PC and states that Factory Control Panel replaces XAMPP on those MES PCs. The CVE description provided in the corpus matches the PHP EXIF issue: an out-of-bounds read in exif_process_IFD_TAG that can lead to information disclosure or a crash. The source also supplies exact vulnerable version cutoffs for PHP 7.1, 7.2, and 7.3.
Official resources
-
CVE-2019-11036 CVE record
CVE.org
-
CVE-2019-11036 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The supplied source item was published on 2024-02-27 and modified on 2026-01-27; the vendor remediation referenced in the source is dated 2023-05-26. Use those dates as advisory and remediation context only, not as the original flaw date, a