FATEK Automation FvDesigner

Monitor7.8ICS-CERT ICSA-21-056-02Feb 25, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

FvDesigner versions 1.5.76 and earlier contain multiple memory corruption vulnerabilities (CWE-416 use-after-free, CWE-824, CWE-121 stack-based buffer overflow, CWE-787 out-of-bounds write, CWE-125 out-of-bounds read) triggered by parsing malformed project files. Successful exploitation allows an attacker to read/modify project data, execute arbitrary code, or crash the application. FATEK Automation is aware and developing a solution; no fix is currently available. No public exploits exist, and these vulnerabilities are not remotely exploitable.

What this means

What could happen

An attacker could read or modify PLC/automation project data, execute arbitrary commands on the engineering workstation, or crash the FvDesigner application if they can trick a user into opening a malicious project file. This could disrupt control system design, configuration, and deployment workflows.

Who's at risk

Engineering and automation personnel at water utilities and municipal electric utilities who use FATEK FvDesigner to design and configure PLCs, distributed I/O modules, and automation logic. This affects the engineering workstations used to develop and deploy control system configurations.

How it could be exploited

An attacker must socially engineer a user to open a malicious FvDesigner project file on an engineering workstation running FvDesigner version 1.5.76 or earlier. The file contains specially crafted data that triggers memory corruption vulnerabilities (use-after-free, buffer overflow, heap overflow) when parsed, allowing arbitrary code execution or application crash.

Prerequisites

FvDesigner version 1.5.76 or earlier installed on engineering workstation
User must open a malicious project file from an attacker-supplied source
No special user privileges required on the workstation

No authentication required to open a fileLow complexity exploit (user interaction required)No patch available yet (vendor developing fix)Memory corruption vulnerabilities (use-after-free, buffer overflow)Affects engineering workstations in control system environments

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

FvDesigner:≤ 1.5.76No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDo not open FvDesigner project files from untrusted or unsolicited sources. Verify the source and integrity of any project files before opening.

HARDENINGRestrict FvDesigner access to authorized personnel only and ensure least-privilege principles are applied to user accounts running the software.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor FATEK Automation for security updates and patch FvDesigner as soon as a fix is released. Contact FATEK at +886-2-2808-2192 or via email to request updates on the fix timeline.

Mitigations - no patch available

0/1

FvDesigner: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate engineering workstations running FvDesigner from the business and control system networks using network segmentation and firewalls.

CVEs (5)

CVE-2021-22662 CVE-2021-22670 CVE-2021-22666 CVE-2021-22683 CVE-2021-22638

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a0bb5a16-ae5e-4f1e-b115-758f1978931b