FATEK Automation FvDesigner

Monitor7.8ICS-CERT ICSA-22-237-01Aug 25, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

FvDesigner versions 1.5.103 and earlier contain a buffer overflow vulnerability (CWE-787) that allows arbitrary code execution when a user opens a malicious project file. The vulnerability is triggered through improper input validation and requires local access to a workstation running FvDesigner. No public exploits are currently known, and the vulnerability is not remotely exploitable. FATEK has not responded to CISA mitigation requests and no patch is available.

What this means

What could happen

An attacker with local access to a workstation running FvDesigner could execute arbitrary code with the privileges of the user running the application, potentially modifying PLC configurations, logic, or causing the engineering tool to fail.

Who's at risk

FATEK automation engineers and control system integrators using FvDesigner for PLC programming and configuration on Windows workstations. Particularly affects water treatment plants, electric utilities, and manufacturing facilities that rely on FATEK PLCs for process control.

How it could be exploited

An attacker would need to trick a user into opening a malicious file (likely a project file or attachment) on a workstation where FvDesigner is installed. When the file is opened in FvDesigner, the application executes arbitrary code embedded in the file due to improper input validation.

Prerequisites

FvDesigner version 1.5.103 or earlier installed on workstation
User must open a malicious project file or attachment in FvDesigner
Local access to the workstation or ability to deliver malicious file via email/network

no patch availablerequires user interaction (file opening)code execution on engineering workstationvendor unresponsive to mitigation requests

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

FvDesigner:≤ 1.5.103No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDo not click web links or open unsolicited attachments in email messages

Mitigations - no patch available

0/3

FvDesigner: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict file access permissions on workstations running FvDesigner to prevent unauthorized file delivery

HARDENINGImplement email filtering and attachment scanning to block potentially malicious files

HARDENINGMonitor for suspicious activity on engineering workstations and report findings to CISA

CVEs (1)

CVE-2022-2866

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8acfe414-251a-4acf-9e5f-8427c7e97bc9