WECON has not released an update to mitigate a stack-based buffer overflow in its PLC Editor, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability could result in unauthorized code execution within the current process.
PLC Editor 1.3.3U, a ladder logic software, suffers from the vulnerability, discovered by Natnael Samson (Natti) working with Trend Micro’s Zero Day Initiative. Additional versions may also be vulnerable.
In the vulnerability, when processing project files, a stack-based overflow vulnerability end up exploited, which may allow an attacker to execute code under the current process.
CVE-2018-14792 is the case number assigned to this vulnerability, which has a A CVSS v3 base score of 6.3.
The product sees use mainly in the critical manufacturing, energy and water and wastewater systems sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
China-based WECON has verified the vulnerability but has not yet released an updated version.
All users should limit application interaction to only trusted files and update software to the latest version as updates become available.