CVE-2018-7817

Vulnerability

A Use After Free (CWE-416) vulnerability exists in Zelio Soft 2 version 5.1 and prior versions [1]. This occurs when the software processes a specially crafted project file, as the programming platform fails to properly manage memory after it has been freed, leading to potential exploitation [1].

Exploitation

Exploitation requires low skill level and user interaction [1]. An attacker must convince a user to open a maliciously crafted Zelio Soft project file [1]. The attack vector is local, meaning the attacker needs to deliver the file to the target system, but no special privileges are required by the attacker prior to the exploit [1].

Impact

Successful exploitation results in remote code execution in the context of the application [1]. The CVSS v3 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a high impact on confidentiality, integrity, and availability, though the scope remains unchanged [1].

Mitigation

Schneider Electric has released version 5.2 of Zelio Soft to fix this vulnerability [1]. Users should upgrade to the latest version available for download. Additionally, CISA recommends minimizing network exposure for control system devices, locating them behind firewalls, and using secure remote access methods [1].