CVE-2023-28729 – A type confusion vulnerability in Panasonic Con... (How to Fix)

Q: What is the severity of CVE-2023-28729?

CVE-2023-28729 has a CVSS score of 7.8 (HIGH). A type confusion vulnerability in Panasonic Control FPWIN Pro allows arbitrary code execution when opening malicious project files. This affects all versions up to and including 7.6.0.3, putting industrial control system operators at risk.

📋 TL;DR

A type confusion vulnerability in Panasonic Control FPWIN Pro allows arbitrary code execution when opening malicious project files. This affects all versions up to and including 7.6.0.3, putting industrial control system operators at risk.

💻 Affected Systems

Products:

Panasonic Control FPWIN Pro

Versions: All versions up to and including 7.6.0.3

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where FPWIN Pro is installed and users open project files.

📦 What is this software?

Control Fpwin Pro by Panasonic

View all CVEs affecting Control Fpwin Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the engineering workstation leading to PLC reprogramming, process disruption, or lateral movement into OT networks.

🟠

Likely Case

Local privilege escalation or malware installation on engineering workstations used for PLC programming.

🟢

If Mitigated

Limited to isolated engineering workstation compromise if proper network segmentation is in place.

🌐 Internet-Facing: LOW - This software is typically not exposed to the internet in industrial environments.

🏢 Internal Only: HIGH - Attackers with internal access can exploit this via social engineering or compromised files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction to open malicious project file. Type confusion vulnerabilities often lead to reliable exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.6.0.4 or later

Vendor Advisory: https://industry.panasonic.eu/factory-automation/programmable-logic-controllers-plc/plc-software/programming-software-control-fpwin-pro

Restart Required: Yes

Instructions:

1. Download latest version from Panasonic website. 2. Uninstall current version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Restrict project file execution

windows

Block execution of .pro files or restrict to trusted sources only

User awareness training

all

Train users to only open project files from trusted sources

🧯 If You Can't Patch

Isolate engineering workstations from production networks and internet
Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check FPWIN Pro version in Help > About. If version is 7.6.0.3 or earlier, system is vulnerable.

Check Version:

Not applicable - check via application GUI Help > About

Verify Fix Applied:

Verify version is 7.6.0.4 or later in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

Unexpected process creation from FPWIN Pro
Abnormal file access patterns for .pro files

Network Indicators:

Unusual outbound connections from engineering workstations

SIEM Query:

Process creation where parent_process contains 'fpwin' and process_name not in approved_list

📊 Metadata

CVE ID: CVE-2023-28729

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-843

Published: July 21, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28729, you might also want to check these: