OTPulse
FeedAboutContact

Panasonic FPWIN Pro

Monitor5.9ICS-CERT ICSA-21-180-03Jun 29, 2021
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

FPWIN Pro contains an XML external entity (XXE) vulnerability (CWE-611) that allows a local attacker with user-level access to read arbitrary files from the file system. Successful exploitation requires the user to open a malicious file or project. This vulnerability affects all versions of FPWIN Pro up to and including 7.5.1.1. Panasonic has released FPWIN Pro v7.5.2.0 to address this issue.

What this means
What could happen
An attacker with local access to an engineering workstation running FPWIN Pro could read sensitive files from the computer's file system, potentially exposing control logic, credentials, or configuration data used to manage Panasonic PLCs.
Who's at risk
This affects engineers and operators at utilities and manufacturers who use Panasonic FPWIN Pro to program and configure Panasonic PLCs. It is primarily a concern for organizations where workstations also store sensitive operational data, credentials, or control logic files.
How it could be exploited
An attacker must first gain local access to the computer running FPWIN Pro (through physical access, remote desktop, or compromised user account). Once local, they can exploit an XML external entity (XXE) vulnerability in the software to read arbitrary files from the system that the FPWIN Pro user has access to.
Prerequisites
  • Local access to the engineering workstation running FPWIN Pro
  • User interaction required (opening a malicious file or clicking a link)
  • FPWIN Pro version 7.5.1.1 or earlier
Local exploitation onlyUser interaction requiredLow EPSS score (0.1%)XML external entity (XXE) vulnerability
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
FPWIN Pro programming control software: All≤ 7.5.1.17.5.2.0
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FPWIN Pro to version 7.5.2.0 or later
Long-term hardening
0/2
HARDENINGRestrict local login and remote desktop access to engineering workstations to authorized personnel only
HARDENINGEducate engineering staff not to open unsolicited files or click links in emails, particularly those containing project files or attachments from external sources
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/b66a1ac1-8713-472c-aeb2-3e0d07273712
Panasonic FPWIN Pro | CVSS 5.9 - OTPulse