Weintek EasyBuilder Pro cMT Series

Act Now9.3ICS-CERT ICSA-23-045-01Feb 20, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Weintek EasyBuilder Pro v6.07.01, v6.07.02.479, and v6.08.01.349 contain a path traversal vulnerability (CWE-29) that could allow an attacker to gain control of a user's machine or access sensitive information when a user decompiles untrusted project files. The vulnerability requires user interaction to exploit.

What this means

What could happen

An attacker could gain control of an engineering workstation running EasyBuilder Pro by sending a malicious project file, potentially allowing them to modify HMI configurations, steal credentials, or compromise PLC program uploads. This could result in unauthorized changes to process setpoints, shutdown of critical systems, or exfiltration of operational data.

Who's at risk

Engineering teams at water utilities, electric generation/distribution, and other critical infrastructure facilities that use Weintek EasyBuilder Pro to develop or maintain HMI (Human-Machine Interface) configurations. This affects anyone who creates, modifies, or troubleshoots graphical control interfaces for PLCs and industrial control systems.

How it could be exploited

An attacker creates a malicious EasyBuilder Pro project file exploiting the path traversal vulnerability and sends it to an engineer. When the engineer decompiles the file to view or modify it, the vulnerability allows the attacker's code to execute on the engineering workstation with the user's privileges, gaining machine control.

Prerequisites

User interaction required: engineer must open and decompile a malicious EasyBuilder Pro project file
Access to send email or deliver file to target engineer
Vulnerable version of EasyBuilder Pro installed on engineering workstation (v6.07.01, v6.07.02.479, or v6.08.01.349)

Requires user interaction (engineer must open malicious file)Affects engineering workstations with access to production systemsNo patch available for v6.07.01 and earlierCould enable lateral movement to connected PLCs or control systemsSocial engineering attack vector via email

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (3)

3 pending

ProductAffected VersionsFix Status

EasyBuilder Pro: v6.07.01 and prior≤ 6.07.01No fix yet

EasyBuilder Pro: v6.07.02.479 and prior≤ 6.07.02.479No fix yet

EasyBuilder Pro: v6.08.01.349 and prior≤ 6.08.01.349No fix yet

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict decompile operations to trusted project files and only when operationally necessary

HARDENINGProvide security awareness training to engineers on risks of opening untrusted project files from external sources or email

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EasyBuilder Pro to v6.07.02.480 or later, or v6.08.01.350 or later

CVEs (1)

CVE-2023-0104

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fd9b7176-6a99-4578-9312-9665460fa06b