NREL EnergyPlus
Monitor6.1ICS-CERT ICSA-19-204-02Jul 23, 2019
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
EnergyPlus versions 8.6.0 and earlier contain a buffer overflow vulnerability (CWE-121) that could allow a local attacker to execute arbitrary code or cause a denial-of-service condition. The vulnerability is not remotely exploitable and requires local user account access to the affected machine. No public exploits are known.
What this means
What could happen
An attacker with local access could run arbitrary code on a machine running EnergyPlus, potentially disrupting building energy simulations or altering energy model data used for operational decisions.
Who's at risk
Energy sector organizations using EnergyPlus for building energy simulation and modeling, particularly those running older workstations or servers with version 8.6.0 or earlier for design analysis, commissioning studies, or operational energy forecasting.
How it could be exploited
An attacker with a local user account on the same machine running EnergyPlus could exploit a buffer overflow (CWE-121) to execute arbitrary code or crash the application, requiring interactive access to the workstation where EnergyPlus is installed.
Prerequisites
- Local user account on the machine running EnergyPlus
- EnergyPlus version 8.6.0 or earlier installed
- Ability to run or manipulate EnergyPlus application or its inputs
buffer overflow vulnerability (CWE-121)low complexity attacklocal access requiredaffects energy modeling and simulation systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
EnergyPlus:≤ 8.6.09.0.1 or later
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate EnergyPlus to version 9.0.1 or later
Long-term hardening
0/2HARDENINGRestrict local system access to authorized personnel only; enforce least privilege for user accounts
HARDENINGDisable unnecessary local user accounts and services on machines running EnergyPlus
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/67512520-6f2a-4e17-822c-9301b11a0176