CVE-2018-8840
Description
A remote attacker could send a carefully crafted packet in InduSoft Web Studio v8.1 and prior versions, and/or InTouch Machine Edition 2017 v8.1 and prior versions during a tag, alarm, or event related action such as read and write, which may allow remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote, unauthenticated attacker can trigger a stack-based buffer overflow in InduSoft Web Studio and InTouch Machine Edition to achieve remote code execution.
Vulnerability
A stack-based buffer overflow (CWE-121) exists in InduSoft Web Studio v8.1 and prior versions and InTouch Machine Edition 2017 v8.1 and prior versions. The vulnerability is triggered during tag, alarm, or event related actions (such as read and write) when a specially crafted packet is sent. The overflow occurs within TCPServer.dll via command 50, which is similar to the command 49 bug in CVE-2017-14024 [1][3].
Exploitation
An attacker can send a crafted packet over the network to the affected service (default port 1234) without any authentication. Tenable published a proof-of-concept that sends a TCP payload containing command 50 followed by a long string of 'A' characters (0x500 bytes) to trigger the overflow [3]. No user interaction or special privileges are required, and the attack is remotely exploitable with low skill level [1].
Impact
Successful exploitation allows remote code execution with the privileges of the service, which typically runs at high system privileges. This can lead to full compromise of the device, including confidentiality, integrity, and availability (CIA) impact. The CVSS v3 base score is 9.8 (Critical) [1].
Mitigation
Schneider Electric released InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 to fix this vulnerability. Users should upgrade to these versions as soon as possible. No workaround other than the patch is available, and the CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing [1][2][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=8.1
- Range: <=8.1
- Range: InduSoft Web Studio v8.1 and prior versions, and InTouch Machine Edition 2017 v8.1 and prior versions.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stack buffer overflow in TCPServer.dll when calling mbstowcs() with an oversized input on command 50."
Attack vector
An unauthenticated remote attacker sends a crafted TCP packet to port 1234 of the target InduSoft Web Studio or InTouch Machine Edition server. The packet uses command 50 and includes an oversized payload (e.g., 0x500 bytes of 'A' characters) that triggers a stack buffer overflow in the mbstowcs() call within TCPServer.dll [ref_id=1]. The overflow can overwrite critical stack data, enabling arbitrary code execution.
Affected code
The vulnerability resides in TCPServer.dll, specifically in code that calls mbstowcs() when processing command 50. This is similar to the previously patched CVE-2017-14024 which involved command 49 in the same DLL [ref_id=1].
What the fix does
Schneider Electric released InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 to address the vulnerability [ref_id=1]. The advisory does not include a patch diff, but the fix likely adds bounds checking on the input buffer before the mbstowcs() call in TCPServer.dll to prevent the stack buffer overflow when processing command 50.
Preconditions
- authNo authentication required
- networkAttacker must be able to reach the target on TCP port 1234
- configTarget must be running InduSoft Web Studio v8.1 or prior, or InTouch Machine Edition 2017 v8.1 or prior
Reproduction
The following proof of concept was published by Tenable [ref_id=1]:
``` cat
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- software.schneider-electric.com/pdf/security-bulletin/lfsec00000125/mitrex_refsource_MISC
- www.securityfocus.com/bid/103949mitrevdb-entryx_refsource_BID
- ics-cert.us-cert.gov/advisories/ICSA-18-107-01mitrex_refsource_MISC
- www.tenable.com/security/research/tra-2018-07mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.