WECON PLC Editor

Monitor7.8ICS-CERT ICSA-19-353-03Dec 19, 2019

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

WECON PLC Editor versions up to 1.3.5_20190129 contain a stack-based buffer overflow vulnerability (CWE-121) that allows an attacker to execute arbitrary code under the privileges of the application. Exploitation requires user interaction—an attacker must trick an operator into opening a malicious project file.

What this means

What could happen

An attacker could execute arbitrary code on an engineering workstation running PLC Editor, potentially compromising the ability to safely configure or monitor PLCs. If the workstation is used to manage critical processes, this could allow modification of PLC logic or setpoints.

Who's at risk

Manufacturing facilities that use WECON PLC Editor on engineering workstations to program or manage PLCs should be concerned. This affects anyone responsible for PLC configuration and maintenance, particularly in plants that receive project files from external contractors or partner organizations.

How it could be exploited

An attacker crafts a malicious PLC project file with a buffer overflow payload in a file field. The attacker sends this file to an operator via email or file sharing. When the operator opens the project in PLC Editor, the vulnerability is triggered and the attacker's code runs with the privileges of the PLC Editor application.

Prerequisites

User must open a malicious project file in WECON PLC Editor
PLC Editor version 1.3.5_20190129 or earlier must be installed
Attacker must be able to deliver the malicious file (via email, USB, file share, etc.)

no patch availablerequires user interactionaffects engineering workstationslow exploit complexity

Exploitability

Low exploit probability (EPSS 1.0%)

Affected products (1)

ProductAffected VersionsFix Status

PLC Editor:1.3.5 20190129No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDTrain operators to only open PLC project files from known, trusted sources and not to open unsolicited file attachments or links in email

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor WECON customer support and contact channels (phone: 0086-591-87868869-894) for security updates when the vendor releases a patched version

Mitigations - no patch available

0/2

PLC Editor: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict access to PLC Editor to authorized engineering staff only and isolate engineering workstations from untrusted networks

HARDENINGImplement file integrity monitoring or disable PLC Editor on systems that do not need active PLC programming

CVEs (1)

CVE-2019-18236

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dfd8e244-9831-46f5-9a30-1f1ed5f7a548