INVT VT-Designer and HMITool
MonitorCVSS 7.8ICS-CERT ICSA-25-238-01Aug 26, 2025
Manufacturing
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
INVT VT-Designer (2.1.13) and HMITool (7.1.011) contain buffer overflow and memory corruption vulnerabilities (CWE-787, CWE-843) that allow an attacker with local access to execute arbitrary code in the context of the running application. These vulnerabilities require user interaction (such as opening a malicious project file) and are not remotely exploitable. INVT has not responded to CISA coordination efforts and has not released fixes for these products.
What this means
What could happen
An attacker with local access to a machine running VT-Designer or HMITool could execute arbitrary code and compromise the engineering workstation, potentially allowing them to modify HMI logic, process parameters, or data before those changes propagate to connected control devices.
Who's at risk
Manufacturing facilities using INVT VT-Designer or HMITool for process monitoring and control engineering are affected. This includes organizations that use these tools on engineering workstations to configure, test, or modify HMI interfaces and control logic for industrial processes.
How it could be exploited
An attacker must first gain local access to the engineering workstation running VT-Designer or HMITool (e.g., via phishing, USB drive, or compromised account). Once local, they can trigger a buffer overflow or memory corruption vulnerability (CWE-787, CWE-843) to execute code in the application context. The attacker could then modify project files, configuration, or steal credentials used to communicate with control systems.
Prerequisites
- Local access to the engineering workstation running VT-Designer 2.1.13 or HMITool 7.1.011
- User interaction required (e.g., opening a malicious file or project)
no patch availablelow complexitylocal exploitation onlyno authentication required for exploitation on local machineaffects engineering/configuration tools central to process integrity
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
VT-Designer: 2.1.132.1.13No fix (EOL)
HMITool: 7.1.0117.1.011No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDContact INVT support immediately to inquire about available patches, workarounds, or product migration options; document the response and escalate if no fix or mitigation is provided
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGImplement application whitelisting on engineering workstations to prevent unauthorized executable code from running
HARDENINGRequire strong user authentication (multi-factor authentication where possible) for all accounts with access to engineering workstations and VT-Designer/HMITool projects
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: VT-Designer: 2.1.13, HMITool: 7.1.011. Apply the following compensating controls:
HARDENINGIsolate VT-Designer and HMITool engineering workstations from the business network; place them on a dedicated, air-gapped engineering network or limit connectivity to essential control devices only
HARDENINGRestrict physical access to engineering workstations running VT-Designer and HMITool; implement badge access, lock doors, and require presence of authorized personnel
HARDENINGMonitor engineering workstations for suspicious process execution and file modifications; alert on any unexpected code execution originating from VT-Designer or HMITool
CVEs (9)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7247944e-9f3c-4415-933f-f6cee0f020d2Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.