Login Sign Up

CVE-2021-43556

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-43556 is a stack-based buffer overflow vulnerability in FATEK WinProladder PLC programming software. Attackers can execute arbitrary code by tricking users into opening malicious project files. Organizations using WinProladder versions 3.30_24518 and earlier for industrial control systems are affected.

💻 Affected Systems

Products:
  • FATEK WinProladder
Versions: Versions 3.30_24518 and prior
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations of vulnerable versions; exploitation requires user interaction to open malicious project files.

📦 What is this software?

Winproladder by Fatek

View all CVEs affecting Winproladder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the engineering workstation, potentially enabling lateral movement to PLCs and other industrial systems.

🟠

Likely Case

Attacker executes arbitrary code on the engineering workstation, potentially stealing credentials, modifying PLC programs, or disrupting industrial processes.

🟢

If Mitigated

Limited impact with proper network segmentation and user awareness preventing malicious file execution.

🌐 Internet-Facing: LOW - WinProladder is typically used on internal engineering workstations, not directly internet-facing.
🏢 Internal Only: HIGH - Attackers with internal access or who can trick users into opening malicious files can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction to open malicious project files; multiple advisories from ZDI indicate weaponization is likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.30_24519 or later

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-320-01

Restart Required: Yes

Instructions:

1. Download latest version from FATEK website. 2. Uninstall current version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Restrict project file execution

windows

Configure Windows to open .wp3 files with a text editor instead of WinProladder

assoc .wp3=txtfile
ftype txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1

Application whitelisting

windows

Use AppLocker or similar to restrict execution of WinProladder to trusted users only

🧯 If You Can't Patch

  • Segment engineering workstations from production networks using firewalls
  • Implement strict user awareness training about opening untrusted project files

🔍 How to Verify

Check if Vulnerable:

Check WinProladder version in Help > About; if version is 3.30_24518 or earlier, system is vulnerable.

Check Version:

Check Help > About in WinProladder GUI (no CLI command available)

Verify Fix Applied:

Verify version is 3.30_24519 or later in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes of WinProladder.exe
  • Unusual process creation from WinProladder

Network Indicators:

  • Unexpected network connections from engineering workstations

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="WinProladder.exe"

📊 Metadata

CVE ID: CVE-2021-43556
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: December 28, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43556, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)