PatchSiren cyber security CVE debrief
CVE-2019-11044 Festo Didactic SE CVE debrief
CISA’s advisory maps CVE-2019-11044 to Festo Didactic SE MES PC systems. The underlying issue is in PHP on Windows: the link() function can accept filenames with an embedded NUL byte and treat the string as ending there, which can defeat application path checks. For the affected MES PC deployment, Festo directs customers to replace XAMPP with Factory Control Panel and contact technical support for the current fixed version.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
OT/ICS operators, MES PC administrators, Windows system owners, and developers or integrators who rely on PHP-based path validation or link-handling on Festo MES PC deployments.
Technical summary
The supplied advisory describes CVE-2019-11044 as affecting PHP 7.2.x below 7.2.26, 7.3.x below 7.3.13, and 7.4.0 on Windows. In that context, PHP link() accepts filenames containing an embedded NUL byte and interprets the NUL as the end of the string. That behavior can let an attacker bypass application-level checks that are intended to constrain which paths may be accessed or created. The advisory maps this CVE to Festo Didactic SE MES PC and lists a vendor remediation that replaces XAMPP on the MES PCs with Factory Control Panel.
Defensive priority
High. The supplied CVSS is 7.5, and the flaw can undermine path validation on Windows systems that depend on the affected PHP behavior.
Recommended defensive actions
- Identify whether any Festo Didactic SE MES PC systems use the affected PHP/XAMPP stack on Windows.
- Upgrade or replace the vulnerable component stack so PHP is at least 7.2.26, 7.3.13, or later, or otherwise remove the affected PHP version.
- Follow Festo’s remediation path: obtain the current Factory Control Panel version from Festo technical support and deploy it as the replacement for XAMPP on MES PCs.
- Review application code and configuration that validate file paths before calling link() or related filesystem functions.
- Re-test path validation and filesystem access controls after remediation to confirm NUL-byte inputs are rejected or normalized safely.
- Monitor logs for unexpected filesystem operations or unusual link creation attempts on affected hosts until remediation is complete.
Evidence notes
The source corpus provides the CVE description, CVSS vector, vendor/product mapping, and remediation guidance. It does not provide exploit code, observed exploitation, asset counts, or KEV status. Timeline fields supplied with the advisory show initial publication on 2024-02-27 and a later CISA republication/metadata update on 2026-01-27; those are advisory dates, not the original flaw date.
Official resources
-
CVE-2019-11044 CVE record
CVE.org
-
CVE-2019-11044 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The supplied corpus ties CVE-2019-11044 to a CISA CSAF advisory for Festo Didactic SE MES PC. The advisory source item is dated 2024-02-27, with a CISA republication/update on 2026-01-27. No KEV listing or ransomware campaign linkage is set