CVE-2019-11041 Festo Didactic SE CVE debrief

Who should care

Administrators and operators of Festo Didactic SE MES PC systems, especially where the vendor-provided Factory Control Panel/XAMPP stack is in use. Security teams supporting OT/ICS environments should also prioritize review if the installation processes untrusted images through PHP EXIF functionality.

Technical summary

The vulnerability affects PHP 7.1.x below 7.1.31, 7.2.x below 7.2.21, and 7.3.x below 7.3.8. During EXIF parsing, a malformed image can cause PHP to read beyond the allocated buffer, leading to information disclosure or a crash. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H, indicating remote reachability but with user interaction required.

Defensive priority

High

Recommended defensive actions

• Identify any Festo MES PC installations and confirm whether they use the vendor-provided Factory Control Panel/XAMPP component set.
• Verify the PHP version in any affected stack and move to a fixed release or the vendor-recommended replacement package.
• Limit exposure to untrusted image files and review any workflow that automatically imports, previews, or processes images through PHP EXIF parsing.
• Monitor affected systems for crashes, abnormal PHP behavior, or memory-disclosure indicators around image ingestion paths.
• Follow CISA ICS recommended practices for segmentation, least privilege, and defensive monitoring on OT/ICS endpoints.

Evidence notes

The source corpus consistently describes a PHP EXIF buffer read-past-allocated-buffer issue that can cause information disclosure or crash. The advisory is a CISA CSAF republication of a Festo notice (tracking ID ICSA-26-027-02 / advisory FSA-202402), and the remediation entry states that Factory Control Panel for MES PCs replaces XAMPP and includes fixes for these vulnerabilities. The provided CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H. No KEV entry or active-exploitation claim is present in the supplied data.

Official resources