Login Sign Up

CVE-2021-34605

7.3 HIGH
Remote Code Execution

📋 TL;DR

This zip slip vulnerability in XINJE XD/E Series PLC Program Tool allows attackers to write arbitrary files when opening malicious project files or receiving uploads from infected PLCs. This can lead to remote code execution, data theft, or system crashes. Organizations using XINJE PLC programming software up to v3.5.1 are affected.

💻 Affected Systems

Products:
  • XINJE XD/E Series PLC Program Tool
Versions: Up to and including v3.5.1
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires user interaction to open malicious project files or receive uploads from compromised PLCs.

📦 What is this software?

Xd\/e Series Plc Program Tool by Xinje

View all CVEs affecting Xd\/e Series Plc Program Tool →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to PLC manipulation, industrial process disruption, and lateral movement to other systems.

🟠

Likely Case

Local file system compromise leading to data exfiltration or denial of service on the engineering workstation.

🟢

If Mitigated

Limited impact if proper network segmentation and file validation are implemented, potentially only affecting isolated engineering stations.

🌐 Internet-Facing: LOW (requires user interaction with malicious files or infected PLC uploads, not directly internet-exposed)
🏢 Internal Only: MEDIUM (requires internal network access and user interaction, but can spread via infected PLCs)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction but has been publicly documented with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.5.2 or later

Vendor Advisory: https://claroty.com/2022/05/11/blog-research-from-project-file-to-code-execution-exploiting-vulnerabilities-in-xinje-plc-program-tool/

Restart Required: Yes

Instructions:

1. Download latest version from XINJE official website. 2. Uninstall current version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Restrict project file sources

all

Only open project files from trusted sources and validate file integrity before opening.

Network segmentation

all

Isolate PLC programming stations from general network and internet access.

🧯 If You Can't Patch

  • Implement strict file validation procedures for all project files
  • Segment PLC programming stations and restrict user privileges

🔍 How to Verify

Check if Vulnerable:

Check software version in Help > About menu. If version is 3.5.1 or earlier, system is vulnerable.

Check Version:

Check via GUI: Help > About in XINJE PLC Program Tool

Verify Fix Applied:

Verify version is 3.5.2 or later in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations outside expected directories
  • Multiple failed project file openings
  • Unexpected PLC upload requests

Network Indicators:

  • Unusual network traffic from PLC programming stations
  • Unexpected file transfers to/from PLCs

SIEM Query:

EventID=4688 AND ProcessName LIKE '%XINJE%' AND CommandLine LIKE '%.xdp%'

📊 Metadata

CVE ID: CVE-2021-34605
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-23
Published: May 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34605, you might also want to check these:

CVE-2024-24578 10.0

CVE-2024-24578 is an unauthenticated remote code execution vulnerability in RaspberryMatic/OCCU IoT ...

Same vulnerability type (CWE-23)
CVE-2023-3701 9.9

Aqua Drive version 2.4 has a relative path traversal vulnerability that allows authenticated users t...

Same vulnerability type (CWE-23)
CVE-2024-3025 9.9

This path traversal vulnerability in mintplex-labs/anything-llm allows attackers to read or delete f...

Same vulnerability type (CWE-23)