CVE-2026-22208
📋 TL;DR
OpenS100 (S-100 viewer reference implementation) contains a remote code execution vulnerability where untrusted portrayal catalogues can execute arbitrary Lua code with full system access. Attackers can craft malicious S-100 catalogues that execute commands when imported by users. This affects all users of OpenS100 prior to commit 753cf29.
💻 Affected Systems
- OpenS100 (S-100 viewer reference implementation)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with the privileges of the OpenS100 process, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Attackers trick users into importing malicious S-100 catalogues, executing commands to steal sensitive data, install malware, or pivot to other systems.
If Mitigated
Limited impact if proper network segmentation and user privilege restrictions are in place, though local data could still be compromised.
🎯 Exploit Status
Exploitation requires user interaction to import malicious catalogue, but the technical complexity is low once the malicious file is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 753cf294434e8d3961f20a567c4d99151e3b530d and later
Vendor Advisory: https://github.com/S-100ExpertTeam/OpenS100/commit/753cf294434e8d3961f20a567c4d99151e3b530d
Restart Required: Yes
Instructions:
1. Update OpenS100 to commit 753cf29 or later
2. Rebuild from source if using compiled version
3. Restart any running OpenS100 processes
🔧 Temporary Workarounds
Disable Lua script processing
allModify OpenS100 configuration to disable Lua script execution in portrayal catalogues
Modify opens100_config.xml to set <enable_lua>false</enable_lua>
Restrict catalogue sources
allOnly allow S-100 catalogues from trusted, verified sources
Configure firewall rules to block untrusted catalogue sources
🧯 If You Can't Patch
- Run OpenS100 with minimal user privileges (non-admin/non-root account)
- Implement application whitelisting to prevent execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check OpenS100 version/git commit hash - if earlier than commit 753cf29, it's vulnerableCheck Version:
git log --oneline -1Verify Fix Applied:
Verify current commit includes 753cf29 changes by checking git log or version information📡 Detection & Monitoring
Log Indicators:
- Unusual Lua script execution in OpenS100 logs
- Suspicious process creation from OpenS100
- Unexpected network connections from OpenS100 process
Network Indicators:
- Downloads of S-100 catalogues from untrusted sources
- Outbound connections to suspicious IPs after catalogue import
SIEM Query:
Process Creation where Parent Process Name contains 'opens100' AND Command Line contains suspicious patterns (cmd.exe, powershell, wget, curl, etc.)