CVE-2023-22346 – An out-of-bounds read vulnerability in Screen C... (How to Fix)

Q: What is the severity of CVE-2023-22346?

CVE-2023-22346 has a CVSS score of 7.8 (HIGH). An out-of-bounds read vulnerability in Screen Creator Advance 2 allows attackers to craft malicious project files that, when opened by users, can lead to information disclosure or arbitrary code execution. This affects users of Screen Creator Advance 2 version 0.1.1.4 Build01 and earlier who open untrusted project files. The vulnerability stems from improper bounds checking when processing template information.

📋 TL;DR

An out-of-bounds read vulnerability in Screen Creator Advance 2 allows attackers to craft malicious project files that, when opened by users, can lead to information disclosure or arbitrary code execution. This affects users of Screen Creator Advance 2 version 0.1.1.4 Build01 and earlier who open untrusted project files. The vulnerability stems from improper bounds checking when processing template information.

💻 Affected Systems

Products:

Screen Creator Advance 2

Versions: 0.1.1.4 Build01 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable when processing project files.

📦 What is this software?

Screen Creator Advance 2 by Jtekt

View all CVEs affecting Screen Creator Advance 2 →

Screen Creator Advance 2 by Jtekt

View all CVEs affecting Screen Creator Advance 2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Screen Creator Advance 2 user, potentially leading to full system compromise.

🟠

Likely Case

Information disclosure through memory leaks or application crashes when users open malicious project files.

🟢

If Mitigated

Limited impact if users only open trusted project files from verified sources.

🌐 Internet-Facing: LOW - The application is not typically internet-facing; exploitation requires user interaction with malicious files.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious project files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious project file. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 0.1.1.4 Build01

Vendor Advisory: https://www.electronics.jtekt.co.jp/en/topics/202302035233/

Restart Required: Yes

Instructions:

1. Download the latest version from JTEKT Electronics official website. 2. Uninstall the vulnerable version. 3. Install the updated version. 4. Restart the system.

🔧 Temporary Workarounds

Restrict project file sources

all

Only open project files from trusted, verified sources. Implement policies to block untrusted project files.

Application control

windows

Use application whitelisting to restrict execution of Screen Creator Advance 2 to authorized users only.

🧯 If You Can't Patch

Isolate systems running vulnerable software from network shares and untrusted file sources.
Implement user training to avoid opening untrusted project files and monitor for suspicious file activity.

🔍 How to Verify

Check if Vulnerable:

Check the software version in Help > About Screen Creator Advance 2. If version is 0.1.1.4 Build01 or earlier, it is vulnerable.

Check Version:

Not applicable - check via application GUI Help > About menu.

Verify Fix Applied:

After updating, verify the version in Help > About shows a version later than 0.1.1.4 Build01.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected file opens of .sca or project files

Network Indicators:

Unusual file transfers of project files to/from affected systems

SIEM Query:

EventID=1000 OR EventID=1001 Source='Screen Creator Advance 2' OR ProcessName='ScreenCreatorAdvance2.exe'

📊 Metadata

CVE ID: CVE-2023-22346

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: February 13, 2023

Last Updated: March 21, 2025

🔗 References

https://jvn.jp/en/vu/JVNVU98917488/ Patch,Third Party Advisory,VDB Entry
https://www.electronics.jtekt.co.jp/en/topics/202302035233/ Patch,Vendor Advisory
https://www.electronics.jtekt.co.jp/jp/topics/2023020313454/ Patch,Vendor Advisory
https://jvn.jp/en/vu/JVNVU98917488/ Patch,Third Party Advisory,VDB Entry
https://www.electronics.jtekt.co.jp/en/topics/202302035233/ Patch,Vendor Advisory
https://www.electronics.jtekt.co.jp/jp/topics/2023020313454/ Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22346, you might also want to check these: