CVE-2021-42707: 
Wecon PLC Editor vulnerability analysis and mitigation

CVE-2021-42707 is an out-of-bounds write vulnerability affecting WECON PLC Editor versions 1.3.8 and prior. The vulnerability was discovered by Natnael Samson working with Trend Micro's Zero Day Initiative and was disclosed on November 11, 2021. The vulnerability affects critical infrastructure sectors including Critical Manufacturing, Energy, and Water and Wastewater Systems (CISA Advisory).

The vulnerability exists within the parsing of WCP files in WECON PLC Editor. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition through an out-of-bounds write operation. The vulnerability has been assigned a CVSS v3 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating local attack vector, low attack complexity, no privileges required, and user interaction required (ZDI Advisory).

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code in the context of the current process. The vulnerability can potentially impact confidentiality, integrity, and availability with high severity (CISA Advisory).

WECON has not responded to requests to work with CISA to mitigate these vulnerabilities. Users are advised to contact WECON technical support for additional information. CISA recommends users take measures to protect themselves from social engineering attacks, including not clicking web links or opening unsolicited attachments in email messages (CISA Advisory).