FATEK Automation FvDesigner

Monitor7.8ICS-CERT ICSA-22-055-01Feb 24, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

FATEK FvDesigner versions 1.5.100 and earlier contain multiple buffer overflow and out-of-bounds memory access vulnerabilities (CWE-121, CWE-787, CWE-125) that could allow arbitrary code execution. These vulnerabilities are not remotely exploitable and require local access plus user interaction. FATEK has not responded to CISA requests for mitigation and no fixes are currently available. No public exploits exist at this time.

What this means

What could happen

An attacker with local access to a machine running FvDesigner could execute arbitrary code on that system, potentially allowing them to modify control logic, steal project files, or disrupt engineering operations.

Who's at risk

This affects water utilities and electric utilities that use FATEK FvDesigner for programming and engineering of FATEK controllers. The risk is highest for organizations that allow downloaded or shared project files onto engineering workstations, or where multiple users access the same FvDesigner installation.

How it could be exploited

An attacker must have local access to a machine where FvDesigner is installed. They would need to trigger the vulnerability through user interaction (opening a malicious file or project), which exploits buffer overflow or out-of-bounds memory access flaws in FvDesigner's file parsing. Once exploited, the attacker can run code with the privileges of the user running FvDesigner.

Prerequisites

Local access to the machine running FvDesigner
User interaction required to open a malicious project file or component
FvDesigner version 1.5.100 or earlier installed

no patch availablerequires local access and user interactionbuffer overflow vulnerabilityengineering tool used in OT environments

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

FvDesigner:≤ 1.5.100No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict physical and network access to engineering workstations running FvDesigner; only authorized personnel should have local login access

HARDENINGTrain users not to open FvDesigner project files or attachments from untrusted sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDContact FATEK customer support to request security updates or guidance on alternatives

Mitigations - no patch available

0/2

FvDesigner: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate FvDesigner workstations on a separate engineering network segment with limited connectivity to production systems

HARDENINGMonitor FvDesigner workstations for suspicious process execution or file system changes

CVEs (3)

CVE-2022-25170 CVE-2022-23985 CVE-2022-21209

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fb624f86-7fdf-46eb-a458-86184f1cc1ee