PatchSiren cyber security CVE debrief
CVE-2019-11040 Festo Didactic SE CVE debrief
CVE-2019-11040 is an out-of-bounds read in PHP's EXIF parsing path. In the supplied advisory, attacker-supplied image data can cause PHP to read past an allocated buffer, which may result in information disclosure or a crash. The CISA CSAF record maps the issue to Festo Didactic SE MES PC and cites remediation through Factory Control Panel as a replacement for XAMPP on those systems.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Festo Didactic SE MES PC administrators and maintainers, especially environments still using XAMPP-based images or any deployment that parses untrusted images with PHP EXIF functions such as exif_read_data(). Security teams responsible for patching embedded PHP runtimes in OT/industrial support systems should also review exposure.
Technical summary
The advisory describes a memory safety issue in PHP EXIF processing. A crafted image can trigger an out-of-bounds read in PHP 7.1.x below 7.1.30, 7.2.x below 7.2.19, and 7.3.x below 7.3.6. The stated impact is information disclosure or a crash, and the supplied CVSS vector rates it as network exploitable with no privileges or user interaction required.
Defensive priority
Critical
Recommended defensive actions
- Obtain and deploy the current Factory Control Panel from Festo technical support, as listed in the advisory, to replace vulnerable XAMPP-based MES PC components.
- Verify that any PHP runtime handling EXIF data is updated to a fixed release: 7.1.30 or later, 7.2.19 or later, or 7.3.6 or later.
- Inventory MES PC images and remove or isolate legacy components that still rely on vulnerable PHP EXIF parsing.
- Treat untrusted image content as hostile: minimize exposure of upload or import paths that invoke EXIF parsing.
- Plan for the component restart or service restart implied by the remediation entry before and after replacement.
- Validate affected systems for abnormal crashes or unexpected data exposure until the fix is confirmed installed.
Evidence notes
All substantive claims are taken from the supplied CISA CSAF advisory for ICSA-26-027-02, the embedded Festo remediation note, and the linked CVE/CVSS references. The source corpus states that PHP EXIF parsing can read past an allocated buffer and that the impact may be information disclosure or crash. The vendor remediation entry states that Factory Control Panel replaces XAMPP on MES PCs and links the fix to that replacement. Timing in this debrief uses the supplied CVE/advisory publication dates and the separate CISA republication date; it does not infer a vulnerability origin date beyond the source record.
Official resources
-
CVE-2019-11040 CVE record
CVE.org
-
CVE-2019-11040 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly documented in the supplied CISA CSAF advisory dated 2024-02-27, with a later CISA republication recorded on 2026-01-27. The remediation entry in the advisory is dated 2023-05-26. This debrief uses the supplied advisory publication/