FATEK Automation WinProladder

Monitor7.8ICS-CERT ICSA-21-175-01Jun 24, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

WinProladder versions 3.30 and earlier contain buffer overflow and out-of-bounds memory write vulnerabilities (CWE-125, CWE-787, CWE-119) that allow arbitrary code execution. The vulnerabilities are triggered when a user opens a malicious project file. No known public exploits exist, and these vulnerabilities are not remotely exploitable. FATEK Automation is developing a fix but has not yet released a patched version.

What this means

What could happen

An attacker with local access to a workstation running WinProladder could execute arbitrary code with the privileges of the user, potentially allowing modification of PLC programs or control system logic before deployment.

Who's at risk

Engineering teams and PLC programmers at water authorities and electric utilities who use FATEK WinProladder for programming and testing Programmable Logic Controllers (PLCs) are at risk. Anyone responsible for maintaining or updating FATEK-based automation systems should be aware of this threat.

How it could be exploited

An attacker must trick a user into opening a malicious WinProladder project file (.pro or similar) on an engineering workstation. When the file is opened, buffer overflow or memory corruption vulnerabilities (CWE-125, CWE-787, CWE-119) are triggered, allowing arbitrary code execution within the application's process context.

Prerequisites

Local access to a workstation running WinProladder version 3.30 or earlier
User interaction required: victim must open a malicious project file
No special permissions or credentials needed beyond normal user privileges

Local exploitation only, not remotely exploitableUser interaction required (file opening)No patch available; vendor developing solutionLow EPSS score (0.8%) but affects engineering workstations that control live systems

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (1)

ProductAffected VersionsFix Status

WinProladder:≤ 3.30No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDEstablish a policy to only open WinProladder project files from trusted, verified sources and implement code review procedures for PLC programs before deployment

HARDENINGImplement network-level isolation: segment engineering workstations from the business network and restrict Internet access for machines running WinProladder

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGEnforce least-privilege user accounts on engineering workstations so WinProladder runs with minimal system permissions

HOTFIXMonitor for vendor patches from FATEK Automation and upgrade WinProladder as soon as a fixed version is released

Mitigations - no patch available

0/1

WinProladder: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGDisable email attachments and web link access on engineering workstations where practical, or require manual verification before opening any file

CVEs (3)

CVE-2021-32990 CVE-2021-32988 CVE-2021-32992

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0da18bcb-9528-4555-9aa5-00e9c78194a2