Connect with us

Hi, what are you looking for?



Panasonic Patches Flaws in PLC Programming Software

Panasonic has released an update for its FPWIN Pro application to patch several vulnerabilities identified by a researcher.

Panasonic has released an update for its FPWIN Pro application to patch several vulnerabilities identified by a researcher.

Panasonic FPWIN Pro is a programming software for the company’s FP series programmable logic controllers (PLCs). The product, developed by Panasonic’s industrial devices unit, is deployed in North America, Europe and Asia in the critical manufacturing, commercial facilities, and food and agriculture sectors.

Security researcher Steven Seeley of Source Incite discovered that the product is plagued by multiple vulnerabilities that can be exploited for remote code execution and to cause the application to crash.

Seeley reported his findings via the Zero Day Initiative (ZDI), which published separate advisories for each of the flaws. ICS-CERT has also published an advisory to briefly describe the vulnerabilities and their impact.

The researcher discovered two heap-based buffer overflow (CVE-2016-4499), uninitialized pointer access (CVE-2016-4498), type confusion (CVE-2016-4497), and multiple out-of-bounds write vulnerabilities (CVE-2016-4496). All of these issues have been assigned a medium severity rating.

The security holes can be exploited by an attacker who can convince the targeted user to open a malicious project file. While ICS-CERT’s advisory says the vulnerabilities can be leveraged to crash Panasonic’s FPWIN Pro software, ZDI says they can also be exploited for arbitrary code execution. ICS-CERT pointed out that the flaws don’t impact the systems controlled by the software.

Related: Registration for 2016 ICS Cyber Security Conference Now Open

“Crafting a working exploit for these vulnerabilities would be difficult. Social engineering is required to convince the user to accept the malformed project file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit,” ICS-CERT explained.

Advertisement. Scroll to continue reading.

The flaws affect FPWIN Pro 5.x, FPWIN Pro 6.x, and FPWIN Pro 7.122 and prior versions. Panasonic was informed about the vulnerabilities in early February and the company addressed them on April 26 with the release of FPWIN Pro 7.130.

The vendor noted that version 5.x has reached end-of-support, and version 6.x will no longer be supported starting with September 2016. Users of these older versions have been advised to upgrade their products.

Related Reading: PLC Worms Can Pose Serious Threat to Industrial Networks

Related Reading: High Severity Flaw Found in Schneider PLC Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...