PatchSiren cyber security CVE debrief
CVE-2019-11045 Festo Didactic SE CVE debrief
CVE-2019-11045 covers a PHP DirectoryIterator issue where filenames containing an embedded NUL byte can be treated as ending at that byte. In applications that rely on path validation before access, this can undermine access controls and expose files that should remain unreadable. The Festo Didactic SE MES PC advisory ties the issue to MES PC deployments and points operators to a replacement Factory Control Panel build that includes fixes.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Festo Didactic SE MES PC operators, OT/ICS administrators, application owners who rely on PHP path validation, and security teams responsible for systems using bundled PHP/XAMPP components. Pay particular attention to environments where MES PC handles sensitive local files or is exposed to network-facing requests.
Technical summary
The vulnerability is a PHP DirectoryIterator path-handling flaw: filenames with an embedded NUL byte may be interpreted as terminating early. If software checks a path first and then performs file access based on the truncated value, an attacker can potentially bypass intended file-scope restrictions. The supplied advisory links this CVE to Festo MES PC and recommends moving from XAMPP to Factory Control Panel.
Defensive priority
Medium priority, with higher urgency on any MES PC deployment that depends on PHP for file/path authorization or stores sensitive operational data. CVSS 5.9 reflects network reachability but high attack complexity and confidentiality impact rather than direct integrity or availability loss.
Recommended defensive actions
- Identify all Festo MES PC installations and confirm whether they use the affected XAMPP/PHP stack referenced in the advisory.
- Obtain and deploy the current Factory Control Panel version from Festo support, as referenced in the remediation guidance.
- Review any application logic that validates file paths before reading or listing files, especially code using PHP DirectoryIterator.
- Restrict access to MES PC services and monitor for unexpected file enumeration or authorization failures.
- Verify upgrade status across similar PHP-based OT or utility applications that may reuse the same path-checking pattern.
Evidence notes
The source advisory for Festo Didactic SE MES PC states that PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13, and 7.4.0 accept filenames with embedded NUL bytes in DirectoryIterator and may mishandle them as terminators. The same source recommends Factory Control Panel as a replacement for XAMPP on MES PCs and provides Festo/CERT references for the advisory. No KEV listing was provided.
Official resources
-
CVE-2019-11045 CVE record
CVE.org
-
CVE-2019-11045 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The provided timeline places the source publication on 2024-02-27 and a CISA republication on 2026-01-27. The CVE identifier is CVE-2019-11045, but the supplied advisory content should be treated as the timing context for this debrief.