CVE-2019-11049 Festo Didactic SE CVE debrief

Who should care

Administrators, OT/IT support teams, and incident responders responsible for Festo Didactic SE MES PC deployments that may include the affected Windows/PHP/XAMPP stack used by mail() handling.

Technical summary

The source corpus says PHP 7.3.x below 7.3.13 and PHP 7.4.0 on Windows can double-free memory when mail() is called with custom headers supplied in lowercase, due to a mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e. In the republished Festo MES PC advisory, the vendor remediation is to replace XAMPP with Factory Control Panel, which is stated to include fixes for the vulnerabilities.

Defensive priority

Critical

Recommended defensive actions

• Inventory MES PC systems and confirm whether the affected Windows/PHP/XAMPP components are present.
• Apply the vendor-recommended replacement: obtain and deploy the current Factory Control Panel version from Festo technical support ([email protected]).
• Verify the PHP runtime on Windows is at or above the fixed versions referenced in the advisory before returning systems to service.
• After remediation, validate normal application behavior and watch for crashes or other memory-corruption symptoms in the affected stack.

Evidence notes

This debrief is based only on the supplied CISA CSAF republished advisory ICSA-26-027-02 and its cited references. The advisory text ties CVE-2019-11049 to PHP on Windows and states that lowercase custom headers in mail() can trigger a double-free in PHP 7.3.x below 7.3.13 and 7.4.0. The vendor remediation field says Festo Didactic has released Factory Control Panel as a replacement for XAMPP on MES PCs. The supplied timeline shows publication on 2024-02-27 and a later modification/republication on 2026-01-27; the provided data does not include a KEV entry.

Official resources