PatchSiren cyber security CVE debrief
CVE-2019-11050 Festo Didactic SE CVE debrief
CVE-2019-11050 is a PHP EXIF parsing out-of-bounds read that can disclose memory content or crash the affected process. In the supplied Festo advisory corpus, the issue is mapped to MES PC environments that used XAMPP, with remediation pointing to a replacement Factory Control Panel that includes fixes.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Operators, administrators, and support teams responsible for Festo Didactic SE MES PC systems, especially environments using XAMPP or PHP-based image handling components. This also matters to industrial-control/OT defenders monitoring for availability and information-disclosure risk in the application layer.
Technical summary
The vulnerability affects PHP EXIF parsing when handling image metadata, including use through exif_read_data(). Per the supplied CVE description, affected PHP versions are 7.2.x below 7.2.26, 7.3.x below 7.3.13, and 7.4.0. The result is a read past the allocated buffer, which the source describes as leading to information disclosure or a crash. The CVSS vector supplied is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L, indicating a network-reachable issue with no privileges or user interaction required.
Defensive priority
Medium. The score is CVSS 6.5, and the impact is limited to low confidentiality and low availability, but the no-privileges/no-user-interaction vector makes it worth prioritizing on exposed or operationally important MES PCs.
Recommended defensive actions
- Confirm whether the MES PC deployment uses the vulnerable PHP versions or bundled XAMPP components identified in the advisory.
- Apply the vendor-recommended replacement: contact Festo technical support to obtain the current Factory Control Panel version that includes fixes for these vulnerabilities.
- If immediate replacement is not possible, restrict access to systems that process images or EXIF data and minimize exposure of the affected application path.
- Monitor for unexpected crashes or anomalous information disclosure symptoms in the MES PC application stack.
- Use defense-in-depth controls for OT/ICS assets, including segmentation and least-privilege access around application servers and operator workstations.
Evidence notes
The supplied source item is CISA CSAF advisory ICSA-26-027-02 for Festo Didactic SE MES PC and explicitly repeats the PHP EXIF buffer-read issue description. The remediation section states that Festo Didactic released Factory Control Panel as a replacement for XAMPP on MES PCs and that the current version includes fixes. The advisory references the official CVE record, NVD entry, Festo PSIRT page, CERT VDE advisory pages, and CISA industrial-control guidance. Timing context in the corpus shows the CVE/source publishedAt as 2024-02-27 and a later source republication on 2026-01-27; those dates describe the advisory record timeline, not a new vulnerability date.
Official resources
-
CVE-2019-11050 CVE record
CVE.org
-
CVE-2019-11050 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The supplied corpus ties the CVE to a Festo Didactic SE MES PC advisory and notes a later CISA republication. The issue itself is older than the source republication date; use the CVE published date from the corpus (2024-02-27) for timeline