PatchSiren cyber security CVE debrief
CVE-2019-11046 Festo Didactic SE CVE debrief
CVE-2019-11046 is a medium-severity information-disclosure issue in PHP’s bcmath extension. In affected PHP versions, a crafted string containing characters treated as numeric by the operating system but not as ASCII digits can cause the extension to read beyond allocated space, potentially exposing memory contents. The CISA-republished Festo Didactic SE MES PC advisory ties the issue to the product environment and points users to a replacement Factory Control Panel release that includes fixes.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Festo Didactic SE MES PC operators, OT/ICS administrators, and any team responsible for systems running affected PHP 7.2.x, 7.3.x, or 7.4.0 builds with bcmath enabled—especially on Windows or other systems where the behavior can be triggered.
Technical summary
The issue is an out-of-bounds read in PHP bcmath functions. A string with non-ASCII characters recognized as numeric by the OS can trick parsing logic into reading past the allocated buffer. The documented impact is disclosure of memory contents; no integrity or availability impact is described in the supplied source.
Defensive priority
Medium. Prioritize remediation where MES PC instances still rely on vulnerable PHP builds, are exposed to untrusted input, or support sensitive operational data. The source provides a vendor fix path and replacement software, so upgrade planning should be straightforward.
Recommended defensive actions
- Inventory Festo Didactic MES PC deployments and confirm whether any bundled PHP version falls within the affected ranges (7.2.x below 7.2.26, 7.3.x below 7.3.13, or 7.4.0).
- Apply the vendor-provided replacement: obtain the current Factory Control Panel version from Festo technical support, as noted in the advisory remediation.
- Remove or upgrade any vulnerable PHP bcmath components used by the MES PC environment to a fixed version.
- Limit access to MES PC interfaces and related services to trusted networks and authorized users while remediation is underway.
- Validate the updated deployment after remediation and confirm the vulnerable PHP version is no longer present.
Evidence notes
The debrief is based on the provided CISA CSAF source item for ICSA-26-027-02, which republishes the Festo Didactic SE MES PC advisory. The source description explicitly states the affected PHP version ranges and the out-of-bounds read leading to memory disclosure. The supplied remediation notes state that Factory Control Panel is a replacement for XAMPP on MES PCs and includes fixes for these vulnerabilities. The timeline in the supplied corpus shows source publication on 2024-02-27 and a later republication/modification on 2026-01-27; the underlying vulnerability itself predates both dates.
Official resources
-
CVE-2019-11046 CVE record
CVE.org
-
CVE-2019-11046 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
This debrief uses the provided CISA-republished Festo Didactic SE MES PC advisory for CVE-2019-11046. The supplied enrichment indicates no KEV listing, and the source timeline shows the advisory was published on 2024-02-27 with later repub