CVE-2019-11042 Festo Didactic SE CVE debrief

Who should care

Operators and maintainers of Festo Didactic MES PC deployments, especially teams responsible for the Factory Control Panel/XAMPP software stack and any workflow that ingests untrusted images. Security teams monitoring PHP-based services should also review exposure.

Technical summary

The source advisory states that PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21, and 7.3.x below 7.3.8 can be made to read past an allocated buffer while parsing EXIF metadata. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H, which reflects remote reachability with required user interaction and potential confidentiality loss plus high availability impact.

Defensive priority

High

Recommended defensive actions

• Identify MES PC assets that use Factory Control Panel or any bundled PHP/XAMPP components referenced in the advisory.
• Move to the current Factory Control Panel release available through Festo technical support, as cited in the source remediation note.
• If PHP is managed separately, verify EXIF-related components are at or above the fixed versions noted in the advisory: 7.1.31, 7.2.21, or 7.3.8.
• Reduce exposure to untrusted image content and review any upload, import, or automated processing paths that invoke EXIF parsing.
• Monitor affected hosts for unexpected application crashes or information-disclosure indicators during image handling workflows.

Evidence notes

The source corpus is a CISA CSAF republication published on 2024-02-27 and modified on 2026-01-27. It explicitly describes the PHP EXIF buffer read issue and links remediation to a Factory Control Panel replacement for XAMPP on MES PCs. The provided source set does not include a KEV listing or threat-campaign entry.

Official resources