OTPulse
FeedAboutContact

Pro-face GP-Pro EX

Monitor5.3SEVD-2023-220-01Aug 8, 2023
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Schneider Electric Pro-face GP-Pro EX contains a memory corruption vulnerability in the WinGP HMI runtime module. The vulnerability exists in GP-Pro EX WinGP for iPC and PC/AT versions 4.09.450 and prior. Successful exploitation requires local access and user interaction but could result in memory corruption leading to information disclosure or code execution on systems running the HMI software.

What this means
What could happen
Memory corruption in the HMI runtime could allow an attacker to read sensitive process data or alter how the human-machine interface displays or controls industrial equipment.
Who's at risk
Energy utilities and manufacturing facilities using Pro-face GP-Pro EX as their HMI (human-machine interface) software on Windows engineering workstations or operator stations. Affects both the iPC and PC/AT variants of the WinGP runtime used to display and control industrial processes.
How it could be exploited
An attacker would need to execute malicious code or craft a specially formatted HMI project file on the Windows system running GP-Pro EX WinGP. If the software processes this crafted input, it could trigger a buffer overflow or similar memory corruption, leading to code execution or information disclosure on the HMI system.
Prerequisites
  • Local access to the Windows system running GP-Pro EX WinGP
  • Ability to interact with the application (user interaction required per CVSS vector)
  • Knowledge of HMI project file format or input structure
local code execution requireduser interaction requiredaffects HMI systemlow EPSS score (easy to exploit but low probability of real-world attack)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
GP-Pro EX WinGP for iPC v4.09.450 and prior≤ 4.09.4504.09.500
GP-Pro EX WinGP for PC/AT v4.09.450 and prior≤ 4.09.4504.09.500
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate GP-Pro EX WinGP to version 4.09.500 or later
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/121f0a96-885b-4a26-8038-1624d69616b3
Pro-face GP-Pro EX | CVSS 5.3 - OTPulse