## Vulnerability Summary **Date**: January 13th, 2022 **Title**: Fatek Automation WinProladder PDW File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability **ID**: - ZDI-22-028 - ZDI-CAN-14517 --- ## Vulnerability Details **CVE ID**: CVE-2021-43554 **CVSS Score**: 7.8, AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H **Affected Vendor**: Fatek Automation **Affected Product**: WinProladder --- ## Description - **Description**: This vulnerability allows remote attackers to execute arbitrary code on affected Fatek Automation WinProladder installations. Exploitation requires user interaction, such as visiting a malicious webpage or opening a malicious file. - **Cause**: The issue arises during PDW file parsing, where insufficient validation of user-supplied data may lead to out-of-bounds writes before data structures are properly allocated. Attackers can exploit this to execute code within the context of the current process. --- ## Additional Information - Fatek Automation has released an update to fix this vulnerability. More information is available at: - [https://www.cisa.gov/uscert/ics/advisories/icsa-21-320-01](https://www.cisa.gov/uscert/ics/advisories/icsa-21-320-01) --- ## Disclosure Timeline - 2021-07-30: Vulnerability reported to vendor - 2022-01-13: Public disclosure coordinated and released **Reporter**: xina1i