Schneider Electric created a new version of software to mitigate an improper input validation vulnerability in its Pro-face GP-Pro EX, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability could allow an attacker to modify code to launch an arbitrary executable upon launch of the program.
An HMI screen editor and logic programming software, Pro-face GP-Pro EX Version 4.08 and prior suffer from the issue, discovered by Yu Quiang of Venustech’s ADLab.
In the vulnerability, the program’s code contains an error in which an arbitrary executable can be launched.
CVE-2018-7832 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.0.
The product sees use mainly in the energy sector. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Schneider Electric produced Version 4.08.200 of the software.
For more information, click on Schneider Electric’s security bulletin.