WECON LeviStudioU

MonitorCVSS 7.8ICS-CERT ICSA-21-343-02Dec 9, 2021

WECON

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A stack buffer overflow vulnerability (CWE-121) in WECON LeviStudioU versions 2019-09-21 and earlier allows arbitrary code execution through a malicious project file. The vulnerability requires user interaction—an operator must open a crafted project file in LeviStudioU for the overflow to trigger. WECON has not responded to CISA requests to develop a fix. The vulnerability is not remotely exploitable; an attacker must deliver the malicious file locally or via social engineering (email, file sharing). Exploitation could allow an attacker to run code on the engineering workstation with user privileges, potentially modifying control system logic or stealing configuration data.

What this means

What could happen

An attacker with local access to a LeviStudioU engineering workstation could run arbitrary code by tricking an operator into opening a malicious project file, potentially compromising process logic, configurations, or data on that workstation.

Who's at risk

Engineering and configuration staff at water utilities and industrial facilities that use WECON LeviStudioU for programming and managing industrial control systems. This primarily affects the engineering workstations used to develop and modify PLC logic, not the production control systems themselves, but successful exploitation could lead to unauthorized changes in process configurations.

How it could be exploited

An attacker crafts a malicious LeviStudioU project file and uses social engineering (email, file sharing) to trick an operator into opening it. When the file is opened in LeviStudioU, a stack buffer overflow (CWE-121) is triggered, allowing code execution on the workstation with the permissions of the user running the application.

Prerequisites

Local or network file system access to deliver the malicious project file
User interaction required: operator must open the malicious project file in LeviStudioU
LeviStudioU must be installed and running on the target workstation
LeviStudioU version 2019-09-21 or earlier

no patch availableuser interaction requiredsocial engineering vectoraffects engineering workstations that control critical infrastructure logic

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (1)

ProductAffected VersionsFix Status

LeviStudioU - LeviStudioU:≤ 2019-09-21No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDo not open LeviStudioU project files from untrusted or unexpected sources. Only use project files you have created or received directly from your engineering team.

WORKAROUNDProvide staff training on recognizing social engineering attacks, email scams, and phishing messages that attempt to distribute malicious project files.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGContact WECON technical support to request patches or upgrades for LeviStudioU, as the vendor has not yet released a fix for this vulnerability.

Mitigations - no patch available

0/2

LeviStudioU - LeviStudioU: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate LeviStudioU workstations on a separate engineering network segment with controlled file transfer policies to reduce the risk of malicious files reaching engineering staff.

HARDENINGMaintain offline backups of critical project files to allow recovery if a workstation is compromised.

CVEs (1)

CVE-2021-43983

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3384abe6-e572-4b64-91ac-64ee9754fb5e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.